-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fine-grained access control using pod-level IAM permissions #111
Comments
Thank you for the feature request. Since we currently run the driver using systemd rather than as it's own native container, the process for adding pod-level permissions isn't as straightforward. There is a plan to potentially move to native sidecars in the future (more details in this issue) but for now we will have to investigate how and if this is possible given the current design of the driver. |
As compared to volume-level identity in #136, what are the use cases for pod level? Is it accurate to say that a pod level solution is closer to what is normal for the k8s ecosystem, and that more control by pod operators is useful? Are there any other things that are gained by this approach over #136? |
Is there any more update on this discussion? I'm interested in Pod Identity support |
Hey @phmcder, we're working on pod-level identity support, but we don't have any timelines yet. |
Hi, do you plan to support pod level identity also with secret authentication? Our S3 doesn't support IRSA. Thanks |
Hi, we're not currently planning on supporting pod level identity with k8s secrets. Please open a new issue for that request so we can gauge interest in that as a separate feature. |
We've released fine grained access using pod level IAM permissions in Mountpoint S3 CSI Driver v1.9.0, and it's available via helm and EKS addons in all regions. See the configuration docs for how to get it set up: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/CONFIGURATION.md Closing this feature request 🎉 |
/feature
Allow for accessing S3 using pod-level IAM permissions granted through IRSA or recently launched EKS pod identities. Right now, the interaction with S3 is happening through the controller, and the S3 permissions are granted to it rather than the application pod accessing data.
Is your feature request related to a problem? Please describe.
When using the mountpoint for S3 CSI driver, the IAM permissions are granted to the IAM role associated with the driver rather than the pod accessing S3; this means that we cannot do fine-grained access control where each pod is only allowed access to the buckets/objects it needs.
Describe the solution you'd like in detail
Allow for using the pod-level IAM permissions when accessing the S3 through mountpoint S3 CSI driver.
Describe alternatives you've considered
Related issues:
The text was updated successfully, but these errors were encountered: