Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-25871

IAM roles for Service Accounts to manage elastic agents

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Elastic Bamboo
    • None
    • 1

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Summary

      Introduce support for IAM roles for Service Accounts (IRSA) in Bamboo. This will allow users to manage Elastic Agents on Elastic Kubernetes Service (EKS) clusters without relying on direct AWS Keypairs or EC2 Instance Profiles. This will enhance security and align with AWS best practices.

      Background

      Currently, Bamboo supports managing Elastic Agents using EC2 InstanceProfiles and direct AWS Keypairs. While these methods are functional, they don't leverage the security and flexibility benefits offered by IAM roles for Service Accounts in EKS environments. As more organisations migrate to EKS, the need for native support for IRSA in Bamboo becomes critical.

      Problem Statement

      Organisations using Bamboo in EKS environments are currently required to use less secure or less integrated methods to manage Elastic Agents. The available workarounds involve:

      • Using EC2 InstanceProfiles, which is not directly applicable to EKS.
      • Employing direct AWS Keypairs, which requires managing credentials and does not follow AWS's recommended security practices.
        These workarounds increase operational overhead and can lead to potential security vulnerabilities.

      Proposed Solution

      Introduce native support for IAM roles for Service Accounts in Bamboo to manage Elastic Agents on EKS. This feature would involve:

      User Interface Update: Update the Bamboo UI to allow configuration of IAM roles for Service Accounts within the Elastic Agent management settings.

      Backend Processing Adaptation: Modify the Bamboo backend to authenticate with AWS using the IAM role associated with the Kubernetes Service Account, leveraging the AWS SDK's support for IRSA.

      Use Cases

      A team running Bamboo on EKS can configure their Kubernetes Service Account with an IAM role, allowing Bamboo to manage Elastic Agents without manual credential management or less secure workarounds.

      Organisations following AWS best practices can maintain compliance and security standards by using IRSA for Elastic Agent management.

      Workarounds

      Until this feature is implemented, users can:

      1. Configure AWS Access Key and Secret Access Keys in Bamboo's Elastic Agent configuration, while managing these credentials securely.
      2. Use Instance Profiles. In Kubernetes, they will be the ones related to the node and not the pod.

      Additional Information

      Refer to AWS documentation on IAM roles for Service Accounts for more details on configuring IRSA in EKS.

      Conclusion

      By supporting IAM roles for Service Accounts in EKS, Bamboo will align with industry best practices, enhancing its security posture and usability in cloud-native environments.

              Unassigned Unassigned
              73868399605e Eduardo Alvarenga
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: