Description
Is your feature request related to a problem? Please describe.
I'm running my Vault cluster within an AWS EKS cluster and must create an IAM user with the proper permissions and then provide Vault with a static ACCESS_KEY/ACCESS_SECRET_KEY in order to enable many of the Vault AWS features like AWS Auth, Secrets Sync, and AWS Secrets Engine.
Describe the solution you'd like
AWS provides the EKS Pod Identity capability whereby I can specify an K8s service account that is allowed to assume a role within AWS, and thus I no longer need to provide static credentials to my Vault installation. This capability is native and transparent to the application, as long as the application is using a version of the AWS SDK that's newer than November 2023. This feature request is to simply update the AWS SDK that Vault uses, which would enable the use of EKS Pod Identities
Describe alternatives you've considered
I have briefly looked at AWS IRSA, which would also potentially work to enable EKS pods to assume an AWS role, although the configuration is cumbersome and EKS Pod Identities is much cleaner.
Explain any additional use-cases
This type of feature should be in line with the goals of Vault to easily enable dynamic credentials.
Additional context
https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-eks-pod-identity/
https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html
Activity