k8s-cloudwatch-adapter icon indicating copy to clipboard operation
k8s-cloudwatch-adapter copied to clipboard
verified publisher icon amazon-archives

When is "iam:PassRole" required?

Open rmoneys opened this issue 4 years ago • 0 comments

The documentation at https://github.com/awslabs/k8s-cloudwatch-adapter/blob/v0.10.0/docs/cross-account.md suggests that the service role needs to be able to pass the target role for cross-account metrics. However, it appears that the service role need only assume the target role.

If roleArn is present in the ExternalMetric spec the client gets credentials that assume the role by calling stscreds.NewCredentials: https://github.com/awslabs/k8s-cloudwatch-adapter/blob/2dd7711adeb15b37f59cd1a05967796bdd6cdff3/pkg/aws/client.go#L41. That function uses an AssumeRoleProvider: https://github.com/aws/aws-sdk-go/blob/de0aa785c5d4efb004061153d592f8e1641f91c4/aws/credentials/stscreds/assume_role_provider.go#L257

With v0.10.0 I've managed to scale a deployment based on metrics in a separate account with a service role policy like,

Version: "2012-10-17"
Statement:
  - Sid: AssumeTargetRole
     Effect: Allow
     Action: sts:AssumeRole
     Resource: arn:aws:iam::111111111111:role/target-role

And a target role policy with,

Version: '2012-10-17'
Statement:
  - Effect: Allow
     Principal:
       AWS: arn:aws:iam::222222222222:role/service-role
       Action: sts:AssumeRole

Should the documentation be updated to omit the "iam:PassRole" statement?

rmoneys avatar May 24 '21 19:05 rmoneys