Skip to content
This repository has been archived by the owner on Sep 24, 2021. It is now read-only.

When is "iam:PassRole" required? #89

Open
rmoneys opened this issue May 24, 2021 · 0 comments
Open

When is "iam:PassRole" required? #89

rmoneys opened this issue May 24, 2021 · 0 comments

Comments

@rmoneys
Copy link

rmoneys commented May 24, 2021

The documentation at https://github.com/awslabs/k8s-cloudwatch-adapter/blob/v0.10.0/docs/cross-account.md suggests that the service role needs to be able to pass the target role for cross-account metrics. However, it appears that the service role need only assume the target role.

If roleArn is present in the ExternalMetric spec the client gets credentials that assume the role by calling stscreds.NewCredentials: https://github.com/awslabs/k8s-cloudwatch-adapter/blob/2dd7711adeb15b37f59cd1a05967796bdd6cdff3/pkg/aws/client.go#L41. That function uses an AssumeRoleProvider: https://github.com/aws/aws-sdk-go/blob/de0aa785c5d4efb004061153d592f8e1641f91c4/aws/credentials/stscreds/assume_role_provider.go#L257

With v0.10.0 I've managed to scale a deployment based on metrics in a separate account with a service role policy like,

Version: "2012-10-17"
Statement:
  - Sid: AssumeTargetRole
     Effect: Allow
     Action: sts:AssumeRole
     Resource: arn:aws:iam::111111111111:role/target-role

And a target role policy with,

Version: '2012-10-17'
Statement:
  - Effect: Allow
     Principal:
       AWS: arn:aws:iam::222222222222:role/service-role
       Action: sts:AssumeRole

Should the documentation be updated to omit the "iam:PassRole" statement?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rmoneys