#10878 AWS: EKS IRSA for Route53-hosted zones
Closed: Insufficient data a year ago by kevin. Opened 2 years ago by dasimko.

Hi,

currently we are setting up external-dns kubernetes add-on to setup DNS records (for testing-farm.io) for deployed services in an automated fashion. At the moment we are only able to use credentials-based authentication using our main account, but ideally we would be able to create/associate IAM role for k8s service account to provide only limited set of permissions only to a specific service on the cluster.

There is a KB article on setting-up the specific addon on AWS (https://aws.amazon.com/premiumsupport/knowledge-center/eks-set-up-externaldns/), which describes this IRSA-based approach. However, there we are missing several permissions to manage policies, and roles.

Is it possible to allow creation of certain IAM roles, similarly to how certain service-linked roles are allowed to be setup to lock down the permissions? Or would there be a different more preferable method of limiting permissions given to such service?


Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: aws, low-gain, low-trouble, ops

2 years ago

[backlog_refinement]
Is this still needed/desired?

I don't like the idea of dynamically creating iam roles off hand, but we could investigate something here.

Please re-open if you still need this/something here...

Metadata Update from @kevin:
- Issue close_status updated to: Insufficient data
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog