Allow secretRef to be an optional field
shin-nien opened this issue · 1 comments
How to categorize this issue?
/area security
/kind enhancement
/priority 3
What would you like to be added:
The ability to not use secretRef and pass credentials to the AWS SDK via environment variables instead.
I believe that by making this field optional, the AWS SDK will fallback to looking for environment variables where we'd be able to set AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN etc.
Why is this needed:
An organisation's security policy may not allow the use of static AWS credentials for various reasons. An alternative to static credentials is to use short lived tokens issued by STS. EKS does this using an OIDC provider and mutating webhook.
closed in favour of gardener/machine-controller-manager-provider-aws#106