Skip to content

Support for Creating AWS Service Linked Roles #2337

New issue
New issue
Closed
Closed
Support for Creating AWS Service Linked Roles#2337
Assignees
sga80
Labels
good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/enhancementCategorizes issue or PR as related to existing feature enhancements.service/iamIndicates issues or PRs that are related to iam-controller.
@dimapoperechnyy

Description

@dimapoperechnyy
dimapoperechnyy
opened on Feb 19, 2025

Currently, when attempting to create an IAM Role with the AWSServiceRoleFor* prefix using the ack-iam-controller, AWS returns the following error:

InvalidInput: Role name prefix AWSServiceRoleFor can only be used for AWS Service Linked Roles

This happens because AWS restricts the creation of Service Linked Roles (SLRs) to AWS services themselves. However, for Kubernetes workloads that require service-linked roles (e.g., EC2 Spot Instances, RDS, Lambda, etc.), it would be beneficial if ack-iam-controller could either:

  • Request the creation of an AWS Service Linked Role, similar to how AWS services do this automatically when needed.
  • Allow referencing an existing Service Linked Role when defining IAM roles in Kubernetes CRDs.

Without this support, users must manually create SLRs through the AWS CLI or AWS Management Console, breaking the declarative nature of Kubernetes + ACK IAM.

Steps to Reproduce:

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
  name: awsserviceroleforec2spot
  namespace: default
spec:
  name: AWSServiceRoleForEC2Spot
  assumeRolePolicyDocument: |
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "spot.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
  description: "Default EC2 Spot Service Linked Role"
  policies: 
    - "AWSEC2SpotServiceRolePolicy"

This results in:

InvalidInput: Role name prefix AWSServiceRoleFor can only be used for AWS Service Linked Roles

Expected Behavior:

Either ack-iam-controller should be able to trigger AWS Service Linked Role creation automatically and/or allow referencing existing Service Linked Roles as IAM roles in Kubernetes.

Workarounds & Current Issues:

Currently, we must manually create the SLRs using the AWS CLI:

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

This is not ideal because:

It breaks automation and GitOps principles.
It requires manual intervention, making Kubernetes management more complex.

Request for Enhancement:

Would it be possible for ack-iam-controller to support automatic creation or referencing of AWS Service Linked Roles? This would make it much easier to manage AWS-integrated workloads in Kubernetes.

Metadata

Metadata

Assignees

Labels

good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/enhancementCategorizes issue or PR as related to existing feature enhancements.service/iamIndicates issues or PRs that are related to iam-controller.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions