Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Creating AWS Service Linked Roles #2337

Open
dimapoperechnyy opened this issue Feb 19, 2025 · 2 comments
Open

Support for Creating AWS Service Linked Roles #2337

dimapoperechnyy opened this issue Feb 19, 2025 · 2 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/enhancement Categorizes issue or PR as related to existing feature enhancements. service/iam Indicates issues or PRs that are related to iam-controller.

Comments

@dimapoperechnyy
Copy link

Currently, when attempting to create an IAM Role with the AWSServiceRoleFor* prefix using the ack-iam-controller, AWS returns the following error:

InvalidInput: Role name prefix AWSServiceRoleFor can only be used for AWS Service Linked Roles

This happens because AWS restricts the creation of Service Linked Roles (SLRs) to AWS services themselves. However, for Kubernetes workloads that require service-linked roles (e.g., EC2 Spot Instances, RDS, Lambda, etc.), it would be beneficial if ack-iam-controller could either:

  • Request the creation of an AWS Service Linked Role, similar to how AWS services do this automatically when needed.
  • Allow referencing an existing Service Linked Role when defining IAM roles in Kubernetes CRDs.

Without this support, users must manually create SLRs through the AWS CLI or AWS Management Console, breaking the declarative nature of Kubernetes + ACK IAM.

Steps to Reproduce:

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
  name: awsserviceroleforec2spot
  namespace: default
spec:
  name: AWSServiceRoleForEC2Spot
  assumeRolePolicyDocument: |
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "spot.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
  description: "Default EC2 Spot Service Linked Role"
  policies: 
    - "AWSEC2SpotServiceRolePolicy"

This results in:

InvalidInput: Role name prefix AWSServiceRoleFor can only be used for AWS Service Linked Roles

Expected Behavior:

Either ack-iam-controller should be able to trigger AWS Service Linked Role creation automatically and/or allow referencing existing Service Linked Roles as IAM roles in Kubernetes.

Workarounds & Current Issues:

Currently, we must manually create the SLRs using the AWS CLI:

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

This is not ideal because:

It breaks automation and GitOps principles.
It requires manual intervention, making Kubernetes management more complex.

Request for Enhancement:

Would it be possible for ack-iam-controller to support automatic creation or referencing of AWS Service Linked Roles? This would make it much easier to manage AWS-integrated workloads in Kubernetes.
@michaelhtm
Copy link
Member

michaelhtm commented Feb 20, 2025
edited
Loading

hey @dimapoperechnyy, it seems like you're calling a different create API than the one we use for the Role.
The serviceLinkedRole is currently ignored and just needs to be generated..
what do you think @a-hilaly @rushmash91
if you would like to give a stab at it feel free to drop questions in the thread
/good-first-issue
/help-wanted

@ack-prow ACK Prow
Copy link

ack-prow bot commented Feb 20, 2025

@michaelhtm:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

hey @dimapoperechnyy, it seems like you're calling a different create API than the one we use for the Role.
The serviceLinkedRole is currently ignored and just needs to be generated..if you would like to give a stab at it feel free to drop questions in the thread
/good-first-issue
/help-wanted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ack-prow ack-prow bot added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Feb 20, 2025
@michaelhtm michaelhtm added kind/enhancement Categorizes issue or PR as related to existing feature enhancements. service/iam Indicates issues or PRs that are related to iam-controller. labels Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/enhancement Categorizes issue or PR as related to existing feature enhancements. service/iam Indicates issues or PRs that are related to iam-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelhtm @dimapoperechnyy