feat: Add support for OIDC policy conditions #480
Conversation
fatmcgav
force-pushed
the
feat/oidc-trust-policy
branch
from
a9b50a0 to
bdbf18a
Compare
|
this looks like you are looking for the https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks instead - using that sub-module, is this change still warranted? I'm thinking no |
|
Hey @bryantbiggs ... So I think this change is still valid, as I'm using session tags in combination with an external OIDC provider, in this case env0. Docs are here: https://docs.env0.com/docs/oidc-with-aws#custom-claims-with-aws-session-tags-optional |
|
This PR has been automatically marked as stale because it has been open 30 days |
|
@bryantbiggs / @antonbabenko Any chance of a review on this one? 👍 |
fatmcgav
force-pushed
the
feat/oidc-trust-policy
branch
from
bdbf18a to
799ec71
Compare
|
This PR has been automatically marked as stale because it has been open 30 days |
|
ping |
|
as i understand, it also covers #426 in different way |
fatmcgav
force-pushed
the
feat/oidc-trust-policy
branch
2 times, most recently
from
e322820 to
12a82ef
Compare
|
@bryantbiggs I've updated this PR following the discussion we had on #479 (comment) |
fatmcgav
force-pushed
the
feat/oidc-trust-policy
branch
from
12a82ef to
5fd8323
Compare
fatmcgav
changed the title
|
@bryantbiggs OK, I've tweaked the PR to make it more generic. PTAL 👍 |
| "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", | ||
| ] | ||
|
|
||
| policy_conditions = [ |
There was a problem hiding this comment.
we can add to existing example instead of creating new
|
This PR has been automatically marked as stale because it has been open 30 days |
|
Apologies, just noticed the failed pre-commit check... Have fixed that now so should be good 🤞 |
fatmcgav
force-pushed
the
feat/oidc-trust-policy
branch
from
89f658e to
ed4cd33
Compare
This commit adds support to the `iam-assumable-role-with-oidc` module for adding policy conditions constraints [1] Also add an example showing use with `aws:RequestTag` session tag match [2]. [1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
fatmcgav
force-pushed
the
feat/oidc-trust-policy
branch
from
ed4cd33 to
416bc64
Compare
## [5.44.0](v5.43.0...v5.44.0) (2024-08-08) ### Features * Add support for OIDC policy conditions ([#480](#480)) ([02a5b7f](02a5b7f))
|
This PR is included in version 5.44.0 🎉 |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
This commit adds support to the
iam-assumable-role-with-oidcmodulefor adding policy conditions constraints [1]
Also add an example showing use with
aws:RequestTagsession tag match [2].[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
Motivation and Context
AWS STS session tags allow for additional control when using the
AssumeRoleWithWebIdentityauthentication call.Breaking Changes
None
How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request