How does this avoid the OIDC creation when the cluster is created? Or is this currently limited by the account limit on OIDC providers (100 by default)?
Hello there! From what I could find an OIDC provider is a prerequisite to use Amazon EBS with EKS cluster & does have the account limit you mentioned: go.aws/3SlAoil & go.aws/3Um0Av1. If needed, I suggest engaging with our community of developers on re:Post for further clarification: go.aws/aws-repost. 📮 ^RN
I feel like the tags conditions are not ideal, for example if someone just changes those values in the configmap of the deployment it can get permissions to other things. And what prevents that?
Hi there! Thank you for the feedback provided. I've shared your feedback internally for further review. You're also welcome to post your question on our re:Post community of experts for additional assistance, here: go.aws/aws-repost. ^RZ
Thanks for your patience! Keys of a Pod Identity's IAM Role session tags aren't configurable by the pod creator and the values are limited to metadata of the workload such as cluster name, namespace name, and pod name among others. Modifying a ConfigMap has no impact on the session tags added to an IAM role session. You can find a full list of these session tags, here: go.aws/42DsYKW. If you'd like to discuss this further, you're welcome to reach out via one of the options mentioned here: go.aws/tech-support. ^ES
really excited
How does this avoid the OIDC creation when the cluster is created? Or is this currently limited by the account limit on OIDC providers (100 by default)?
Hello there! From what I could find an OIDC provider is a prerequisite to use Amazon EBS with EKS cluster & does have the account limit you mentioned: go.aws/3SlAoil & go.aws/3Um0Av1. If needed, I suggest engaging with our community of developers on re:Post for further clarification: go.aws/aws-repost. 📮 ^RN
I feel like the tags conditions are not ideal, for example if someone just changes those values in the configmap of the deployment it can get permissions to other things. And what prevents that?
Hi there! Thank you for the feedback provided. I've shared your feedback internally for further review. You're also welcome to post your question on our re:Post community of experts for additional assistance, here: go.aws/aws-repost. ^RZ
Thanks for your patience! Keys of a Pod Identity's IAM Role session tags aren't configurable by the pod creator and the values are limited to metadata of the workload such as cluster name, namespace name, and pod name among others. Modifying a ConfigMap has no impact on the session tags added to an IAM role session. You can find a full list of these session tags, here: go.aws/42DsYKW. If you'd like to discuss this further, you're welcome to reach out via one of the options mentioned here: go.aws/tech-support. ^ES
the demos are too fast for someone to pay attention