amazon-eks-pod-identity-webhook icon indicating copy to clipboard operation
amazon-eks-pod-identity-webhook copied to clipboard
verified publisher icon aws

Support for STS Interface Endpoints

Open jammerful opened this issue 6 years ago • 2 comments

What would you like to be added: Support for STS interface endpoints in the EKS pod identity webhook, which would allow an STS endpoint to be injected into the pod's environment variable that can be used by AWS SDKs and the AWS CLI to make the sts:AssumeRoleWithWebIdentity call. Note this would also require changes to the SDKs and CLI. Requiring all users of this webhook to set private_dns to true is unreasonable.

Why is this needed: Security conscious users don't want their pods talking to the STS endpoint over the internet, since this forces their pods to have internet access. Even if their services are user facing, their pods don't need to be. Having this security posture lowers the risk of sensitive data being exfiltrated.

jammerful avatar Apr 20 '20 15:04 jammerful

@micahhausler I've seen you comment on most other recent tickets, sorry to bother you. Do you have any thoughts on this request? ^

jammerful avatar Apr 27 '20 23:04 jammerful

Security conscious users don't want their pods talking to the STS endpoint over the internet, since this forces their pods to have internet access.

I can understand the requirement.

which would allow an STS endpoint to be injected into the pod's environment variable that can be used by AWS SDKs and the AWS CLI to make the sts:AssumeRoleWithWebIdentity call.

Could you elaborate how would this avoid making the sts call over Internet?

Have you considered setting up VPC Endpoint for sts, which was built for exactly that use case?

jqmichael avatar Apr 30 '20 04:04 jqmichael