awslabs/mountpoint-s3

Support S3 Access Grants

Opened this issue · 0 comments

/feature

Is your feature request related to a problem? Please describe.
I want to mount buckets that I do not have direct access to. My organisation uses S3 Access Grants to control access to buckets, including cross-account. Right now, I can only specify the role on a driver or pod level which will have permissions to get an access grant, but no way to retrieve the token and use it for subsequent S3 calls.

Describe the solution you'd like in detail
Perhaps this request is something that should be supported in mountpoint itself rather than the CSI driver, but I imagine adding a flag such as --use-access-grant could help. This would enable a new subroutine of using the current credentials to call the access grant endpoint and then using the returned STS token for actual mountpoint operations.

Describe alternatives you've considered
I am not sure how else to do this other than asking the team who manages the access grants for a back door.