Support AWS IAM Role Chaining #1854
Description
Describe the solution you'd like
Support role chaining for AWS IAM roles.
What is the added value?
Allows a chain of one ore more intermediate roles to be assumed before assuming the target role. This allows users that previously relied on this feature external-secrets/kubernetes-external-secrets#454 to continue to use that method.
Give us examples of the outcome
Following a slack discussion it was suggested that rather than implementing a single intermediate role to assume, it would be more flexible to be able to specify a list of additional roles that would be assumed in order. Suggested spec for the aws provider with an additionalRoles field added:
spec:
provider:
aws:
service: SecretsManager
role: iam-role
intermediateRole: [intermediate-iam-role-1, intermediate-iam-role-2]
region: eu-central-1
With the above configuration, a chained role assumption would be performed from the base credentials (irsa/access+secret key) -> intermediate-iam-role-1 -> intermediate-iam-role-2 -> iam-role instead of assuming from the base credentials directly to iam-role