Cross-account bucket access using chained AssumeRole #283
Comments
|
The CSI Driver currently doesn't support using chained AssumeRole. However, we do support two other approaches described here: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/CONFIGURATION.md#cross-account-bucket-access (using cross account bucket policies, and using IRSA set up from a different account). I'll leave this open as a feature request |
|
@muddyfish does the CSI Driver support accessing an S3 bucket in another account via a VPC interface/gateway endpoint? I know this is possible via the mountpoint-s3 library itself, but didn't see any documentation on setting it up via the CSI Driver. |
|
It should do - please check the Mountpoint documentation for details. Please create a separate issue if you have problems with it, as VPC/gateway support is off topic for the OP's question. |
|
We are also interested in the role chaining feature 👍🏻 |
Is the driver currently capable for supporting cross-account bucket access using chained AssumeRole?
Ref: https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html (Example Use chained AssumeRole operations)
I have a bucket in Account B, and pods in Account A will use a service account to first assume a (web identity) role with its own cluster's OIDC provider and then further assumes a role from Account B to access the bucket.
/triage support
The text was updated successfully, but these errors were encountered: