Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fine-grained access control using pod-level IAM permissions #111

Closed
iamahgoub opened this issue Dec 15, 2023 · 9 comments
Closed

Fine-grained access control using pod-level IAM permissions #111

iamahgoub opened this issue Dec 15, 2023 · 9 comments
Labels
enhancement New feature or request

Comments

@iamahgoub
Copy link

iamahgoub commented Dec 15, 2023

/feature

Allow for accessing S3 using pod-level IAM permissions granted through IRSA or recently launched EKS pod identities. Right now, the interaction with S3 is happening through the controller, and the S3 permissions are granted to it rather than the application pod accessing data.

Is your feature request related to a problem? Please describe.
When using the mountpoint for S3 CSI driver, the IAM permissions are granted to the IAM role associated with the driver rather than the pod accessing S3; this means that we cannot do fine-grained access control where each pod is only allowed access to the buckets/objects it needs.

Describe the solution you'd like in detail
Allow for using the pod-level IAM permissions when accessing the S3 through mountpoint S3 CSI driver.

Describe alternatives you've considered

  1. Using S3 API directly rather than the mountpoint for S3 CSI driver
  2. Using the mountpoint for S3 CSI driver within the pod rather than having it as a separate layer running as a daemon set

Related issues:

@dlakhaws
Copy link
Contributor

dlakhaws commented Dec 18, 2023

Thank you for the feature request. Since we currently run the driver using systemd rather than as it's own native container, the process for adding pod-level permissions isn't as straightforward. There is a plan to potentially move to native sidecars in the future (more details in this issue) but for now we will have to investigate how and if this is possible given the current design of the driver.

@muddyfish
Copy link
Contributor

muddyfish commented Jul 10, 2024

As compared to volume-level identity in #136, what are the use cases for pod level?

Is it accurate to say that a pod level solution is closer to what is normal for the k8s ecosystem, and that more control by pod operators is useful?

Are there any other things that are gained by this approach over #136?

@phmcder
Copy link

phmcder commented Aug 13, 2024

Is there any more update on this discussion? I'm interested in Pod Identity support

@unexge
Copy link
Contributor

unexge commented Aug 14, 2024

Hey @phmcder, we're working on pod-level identity support, but we don't have any timelines yet.

@jan-stanek
Copy link

Hi, do you plan to support pod level identity also with secret authentication? Our S3 doesn't support IRSA.

Thanks

@muddyfish
Copy link
Contributor

Hi, we're not currently planning on supporting pod level identity with k8s secrets. Please open a new issue for that request so we can gauge interest in that as a separate feature.

@muddyfish
Copy link
Contributor

muddyfish commented Oct 4, 2024

We've released fine grained access using pod level IAM permissions in Mountpoint S3 CSI Driver v1.9.0, and it's available via helm and EKS addons in all regions. See the configuration docs for how to get it set up: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/CONFIGURATION.md

Closing this feature request 🎉

@ubarar-poolside
Copy link

Hi folks - I'm finding that since switching to v1.09.0, it always uses pod-level identity. We'd like to use driver-level identity as we had done before, but it's not clear where this can be configured.

@unexge
Copy link
Contributor

unexge commented Dec 20, 2024

Hey @ubarar-poolside, the CSI Driver would only use pod-level identity if you pass authenticationSource: pod in your volumeAttributes as stated in the documentation. You can simply omit authenticationSource or set to authenticationSource: driver if you want to use driver-level credentials - which is the default option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

7 participants