Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support setting role path and permissions boundary on managed IAM roles #5285

Open
robinkb opened this issue Jan 16, 2025 · 1 comment · May be fixed by #5286
Open

Support setting role path and permissions boundary on managed IAM roles #5285

robinkb opened this issue Jan 16, 2025 · 1 comment · May be fixed by #5286
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@robinkb
Copy link
Contributor

robinkb commented Jan 16, 2025
edited
Loading

/kind feature

Describe the solution you'd like

We use CAPA to create and manage the IAM roles for EKS and Fargate. We have the requirement that our roles must be created under a specific path, and with a permissions boundary attached. Setting a path and permissions boundary is a very common requirement in enterprise IAM environments. Unfortunately, this is not supported by CAPA.

Anything else you would like to add:

The call that creates the IAM role is located here:

// CreateRole will create a role from the IAMService.
func (s *IAMService) CreateRole(
	roleName string,
	key string,
	trustRelationship *iamv1.PolicyDocument,
	additionalTags infrav1.Tags,
) (*iam.Role, error) {
	tags := RoleTags(key, additionalTags)

	trustRelationshipJSON, err := converters.IAMPolicyDocumentToJSON(*trustRelationship)
	if err != nil {
		return nil, errors.Wrap(err, "error converting trust relationship to json")
	}

	input := &iam.CreateRoleInput{
		RoleName:                 aws.String(roleName),
		Tags:                     tags,
		AssumeRolePolicyDocument: aws.String(trustRelationshipJSON),
	}

	out, err := s.IAMClient.CreateRole(input)
	if err != nil {
		return nil, errors.Wrap(err, "failed to call CreateRole")
	}

	return out.Role, nil
}

The path and permissions boundary are both string values that must be added to CreateRoleInput.
Adding these fields to the Spec and passing them through the stack should be enough.

Environment:

  • Cluster-api-provider-aws version: 2.7.1
  • Kubernetes version: (use kubectl version): N/A
  • OS (e.g. from /etc/os-release): N/A
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 16, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@robinkb robinkb linked a pull request Jan 16, 2025 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
2 participants
@robinkb @k8s-ci-robot