Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS IAM/IRSA federated identity management for connections #50

Open
rynowak opened this issue Nov 27, 2024 · 0 comments
Open

AWS IAM/IRSA federated identity management for connections #50

rynowak opened this issue Nov 27, 2024 · 0 comments

Comments

@rynowak
Copy link

rynowak commented Nov 27, 2024

Overview of roadmap item

AWS IAM (and IRSA in Kubernetes) enable applications to access AWS resources without using static credentials (like passwords and access keys). This is a security best practice and many organizations will require the use of IAM for applications to connect to AWS APIs.

The downside of IAM is that it's complex to configure. Each container must have a unique identity, and that identity must be granted access to the AWS APIs it accesses in a least-privilege fashion.

Radius can simplify this for users by dynamically managing the IAM configuration based on the existing Recipes and Connections concept. Recipes already get to configure how the container accesses the AWS APIs by returning credentials and other configuration data in their outputs. This can be extended to include IAM configuration.

The workflow could look like this:

  • A platform engineer is building a new resource type and recipe for accessing S3.
  • The new recipe omits any credentials like passwords from its output.
  • The new recipe returns metadata as part of the recipe outputs indicating that:
    • IAM/IRSA is required for applications using the recipe.
    • The permissions that the application should have (see IAM Role).
    • This is done instead of returning credentials as recipe outputs.
  • Developers can build applications that use this new resource type with containers that declare a connection to it.
  • When deployed, Radius will configure an IAM/IRSA identity for each container that requires it, and configure the required permissions (based on the recipe outputs).

In this workflow, compliance with the required policy is met by using the new resource type. The recipe does not return any static credentials, and so developers must use IAM in order to access the resource.

Compliance organization-wide can be enforced by onboarding to the new resource type.

Related issues

Related issues

Preview Give feedback
No tasks being tracked yet.

Additional context

Note: Radius already supports IAM/IRSA for management operations performed on-behalf-of the user (docs). The linked feature configures how Radius authenticates with AWS, and is unrelated to the user's applications.

This roadmap item provides new features targeted at application developers and at recipe authors. It should not be confused with the existing support.

@zachcasper zachcasper moved this to 💡 Proposed in Radius Roadmap Dec 5, 2024
@willtsai willtsai moved this from 💡 Proposed to 📋 Accepted in Radius Roadmap Dec 5, 2024
@zachcasper zachcasper assigned zachcasper and unassigned zachcasper Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: 📋 Accepted
Development

No branches or pull requests

2 participants