Hi,
I’m reopening this discussion. I was hoping this werk will add the feature agent_aws: Support for Assume Role (Werk #10333) | checkmk. I installed the 2.0.0b2 build.
We have a couple of managed AWS EKS clusters. In this kind of setup we can assign roles to the containers running in kubernetes. As such, a container can assume a role and can practically be given the privileges needed by the special agent for AWS.
We cannot use a user because our policy requires all users to have MFA.
I actually tested this and it works. The setup described very shortly is like this:
- role (not user) in IAM with the policies attached
- use IRSA to provide IAM privileges to the container ( Cross account IAM roles for Kubernetes service accounts | Containers (amazon.com))
- check-mk container has an annotation with the IAM role it needs to run the AWS commands
I’ve installed awscli in the container and setup the region (export AWS_DEFAULT_REGION=us-east-1). After this I was able to list all EC2 instances without providing the AWS_ACCESS_KEY_ID or the AWS_SECRET_ACCESS_KEY.
However in the rule you cannot skip the credentials fields.
Would it be possible to add this on your roadmap?
Thank you!