Cross account resource management (CARM): Add support specifying an External ID #2175
Labels
area/carm
Issues or PRs related to CARM (Cross Account Resource Management)
kind/feature
Categorizes issue or PR as related to a new feature.
Is your feature request related to a problem?
Yes. I am currently facing a limitation when using AWS Controllers for Kubernetes (ACK) for cross-account resource management. While ACK supports assuming cross-account roles, it does not provide a way to specify an External ID during the role assumption process. This is problematic in scenarios where an External ID is required for additional security to prevent unauthorized role assumption (e.g., the confused deputy problem). Without the ability to specify an External ID, the current setup requires insecure or non-ideal role assumption practices, particularly in multi-account AWS environments.
Describe the solution you'd like
I would like ACK to support specifying an External ID when assuming cross-account IAM roles. This could be configured as an additional parameter in the ACK controller configuration (ack-role-account-map) or via annotations in the Kubernetes Namespace associated with the account. The solution should allow users to define a unique External ID for each cross-account role assumption, ensuring that only authorized entities can assume the role in a target AWS account.
Describe alternatives you've considered
Forgoing the External ID: This option weakens security by removing an important protection mechanism when using cross-account roles, making it less desirable.
The text was updated successfully, but these errors were encountered: