aws-iam-authenticator
aws-iam-authenticator copied to clipboard
kubernetes-sigs
[Feature request]: Role access based on session name
What would you like to be added?
Hi, Not sure if a similar request have been made before but anyway here we go.
I would like to have the ability to allow a role based on session name. Currently, AFAIK, you can only do the following
- rolearn: arn:aws:iam:000000000:role/All_Engineers
groups:
- "SUPER_ADMIN_NS_1"
which would result in everyone that can assume that role gets the SUPER_ADMIN_NS_1 permissions and therefor access to that namespace.
What I would like to have would be something like
- rolearn: arn:aws:iam:000000000:role/NS_1_Access
allowedSessionNames:
- "[email protected]"
groups:
- "SUPER_ADMIN_NS_1"
This would provide the possibility of providing fine grained access inside an namespace.
Maybe people already have solved this in some other way and if so I would be happy to hear how :) And if not, happy to help implement it, if it comes to that.
// Martin
Why is this needed?
To use one role for eg. engineering and still be able to give fine grained access to users of that role.
Anything else we need to know?
See this doc for more info on enforcing the session name to remove user override possibilities.
@nckturner, @nnmin-aws any thoughts? not sure if you are the main person but worth a try :)
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
