How to prevent transitive tags, which are set by EKS Pod Identity, from propagating?
When using EKS Pod Identity add-on, sessions are automatically tagged with transitive tags.
There are two issues with this:
All roles transitively must have
sts:TagSessionin their trust policy, something that might not be feasible if not all roles are owned by the same organization.The automatic tags contain information like cluster's ARN which might not be desired to "share" with accounts down the assume role chain (through CloudTrail).
I found out that (and correct me if I'm am wrong):
- Transitive tags can not be ignored when assuming another role.
- There is no action to clear them from the current session.
- Transitivity propagates across accounts.
- There is no configuration of EKS pod identity add-on that can control if tags will be added with transitivity or not.
What other options do I have?
Solution
Just now, AWS added an options to disable session tags. This options is found in the "Pod Identity Association" section of the Access section of the EKS cluster.
- When using the AWS CLI lambda invoke, is there a way to pass environment variables?
- error: failed to solve: failed commit on ref : unexpected status: 400 Bad Request
- Is the fanout pattern using AWS SNS ans SQS reliable?
- API Gateway: JSON 5+ MB Gives error "413, Request Too Long"
- What are the deployment tools used in hybrid cloud
- Delete/Update DynamoDB entries with AWS API
- aws cli ec2 describe-instances table output
- Deploying a microservice with Tensorflow at AWS Lambda
- Issue when using Terraform to manage credentials that access RDS database
- Predictive Auto Scaling for AWS ECS Services
- vitejs build with jsx returning MIME error on aws amplify
- AWS API Gateway : Execution failed due to configuration error: No match for output mapping and no default output mapping configured
- Is there any way to Block request from Postman or other apps to call Restful API
- EC2 user permissions for var/www directory
- How can I recover deleted AWS Lambda code?
- How to discard changes in AWS lambda function inline editor?
- AWS equivalent for Azure Resourcegroup
- Lambda Function to Delete Object after interrogation of file, triggered by S3 Create event not deleting file
- AWS Java SDK v2.0: How to handle providing indexNames at runtime rather than using annotation
- How can I get all thing names from a thing group in AWS IoT Core using a Lambda function?
- AWS CloudFormation is stuck on DELETED_FAILED status
- count value depends on resource attributes that cannot be determined until apply in module
- GraphQL documentation strings (""") not showing up in AWS AppSync Documentation Explorer
- How to check if Python app is running within AWS lambda function?
- how to add raster data using mapbox gl js?
- AWS Application Load Balancer transforms all headers to lower case
- Aws cross-account backup copy and restoration failing due to insufficient privileges
- CDK - S3 notification causing cyclic reference error
- aws beanstalk 403 error while deploying
- Docker commands hanging with no response