Fine-grained access control using pod-level IAM permissions

[iamahgoub]

/feature

Allow for accessing S3 using pod-level IAM permissions granted through IRSA or recently launched EKS pod identities. Right now, the interaction with S3 is happening through the controller, and the S3 permissions are granted to it rather than the application pod accessing data.

Is your feature request related to a problem? Please describe.
When using the mountpoint for S3 CSI driver, the IAM permissions are granted to the IAM role associated with the driver rather than the pod accessing S3; this means that we cannot do fine-grained access control where each pod is only allowed access to the buckets/objects it needs.

Describe the solution you'd like in detail
Allow for using the pod-level IAM permissions when accessing the S3 through mountpoint S3 CSI driver.

Describe alternatives you've considered

1. Using S3 API directly rather than the mountpoint for S3 CSI driver
2. Using the mountpoint for S3 CSI driver within the pod rather than having it as a separate layer running as a daemon set

---

Related issues:

• Is there a way to add different aws account s3 bucket to mount in single Kubernetes cluster. #197
• Support for S3 Buckets in Different Accounts? #129

[dlakhaws]

Thank you for the feature request. Since we currently run the driver using systemd rather than as it's own native container, the process for adding pod-level permissions isn't as straightforward. There is a plan to potentially move to native sidecars in the future (more details in this issue) but for now we will have to investigate how and if this is possible given the current design of the driver.

[muddyfish]

As compared to volume-level identity in #136, what are the use cases for pod level?

Is it accurate to say that a pod level solution is closer to what is normal for the k8s ecosystem, and that more control by pod operators is useful?

Are there any other things that are gained by this approach over #136?

[phmcder]

Is there any more update on this discussion? I'm interested in Pod Identity support

[unexge]

Hey @phmcder, we're working on pod-level identity support, but we don't have any timelines yet.

[jan-stanek]

Hi, do you plan to support pod level identity also with secret authentication? Our S3 doesn't support IRSA.

Thanks

[muddyfish]

Hi, we're not currently planning on supporting pod level identity with k8s secrets. Please open a new issue for that request so we can gauge interest in that as a separate feature.

[muddyfish]

We've released fine grained access using pod level IAM permissions in Mountpoint S3 CSI Driver v1.9.0, and it's available via helm and EKS addons in all regions. See the configuration docs for how to get it set up: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/CONFIGURATION.md

Closing this feature request 🎉