Hi,
currently we are setting up external-dns kubernetes add-on to setup DNS records (for testing-farm.io) for deployed services in an automated fashion. At the moment we are only able to use credentials-based authentication using our main account, but ideally we would be able to create/associate IAM role for k8s service account to provide only limited set of permissions only to a specific service on the cluster.
testing-farm.io
There is a KB article on setting-up the specific addon on AWS (https://aws.amazon.com/premiumsupport/knowledge-center/eks-set-up-externaldns/), which describes this IRSA-based approach. However, there we are missing several permissions to manage policies, and roles.
Is it possible to allow creation of certain IAM roles, similarly to how certain service-linked roles are allowed to be setup to lock down the permissions? Or would there be a different more preferable method of limiting permissions given to such service?
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: aws, low-gain, low-trouble, ops
[backlog_refinement] Is this still needed/desired?
I don't like the idea of dynamically creating iam roles off hand, but we could investigate something here.
Please re-open if you still need this/something here...
Metadata Update from @kevin: - Issue close_status updated to: Insufficient data - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.