If we try to delete iamrole which already has a policy attached, the kubectl process gets stuck and does not exit. Had to force exit the command with ctrl+c

Controller logs shows continuous error:
ERROR controllers.Role unable to delete Role {"role": "default/role-sample1", "error": "DeleteConflict: Cannot delete entity, must detach all policies first.\n\tstatus code: 409, request id: 52f76e23-fa39-4f23-8584-9ca0e287d389"}

When we removed policy from role, the role got deleted automatically by the controller.

kubectl get role.aws-iam.redradrat.xyz -A

jay nginx-deployment-role EntityAlreadyExists: Role with name nginx-deployment-role already exists.
status code: 409, request id: 042007ff-baf9-47d3-8960-b8bf9209c6ee ERROR
jay role-sample EntityAlreadyExists: Role with name role-sample already exists.
status code: 409, request id: 23bf242d-4a05-4668-b1e8-de3aa0538306 ERROR
test nginx-deployment-role arn:aws:iam::....:role/nginx-deployment-role Succesfully reconciled
test role-sample arn:aws:iam::....:role/role-sample Succesfully reconciled OK

jayzalowitz$ kubectl delete -f deployment.yaml -n jay
deployment.apps "nginx-deployment" deleted
role.aws-iam.redradrat.xyz "nginx-deployment-role" deleted
role.aws-iam.redradrat.xyz "role-sample" deleted

SFO-WXLVCF:application jayzalowitz$ kubectl get role.aws-iam.redradrat.xyz -A

jay nginx-deployment-role Role 'nginx-deployment-role' not yet created
jay role-sample Role 'role-sample' not yet created
test nginx-deployment-role arn:aws:iam::....:role/nginx-deployment-role Succesfully reconciled
test role-sample arn:aws:iam::.....:role/role-sample Succesfully reconciled

kubectl delete -f deployment.yaml -n test
deployment.apps "nginx-deployment" deleted
role.aws-iam.redradrat.xyz "nginx-deployment-role" deleted
role.aws-iam.redradrat.xyz "role-sample" deleted

kubectl get role.aws-iam.redradrat.xyz -A
jay nginx-deployment-role Role 'nginx-deployment-role' not yet created ERROR 11 Feb 21 22:33 +0000
jay role-sample Role 'role-sample' not yet created ERROR 11 Feb 21 22:33 +0000

Create Github Actions to release the latest controller-manager image

Steps :

1. create a PolicyAttachment which attaches policy1 to role1.
2. update PolicyAttachment : change policy name to policy2 and apply the change.

Expected Behaviour :
role1 should have policy2 attached and policy1 removed

Actual Behaviour :
role1 has both the policies attached policy1 and policy2

Same issue happens when we update PolicyAttachment with new role

If policy is already attached to role, and if we try to update the policy it gives error:
ERROR controller-runtime.controller Reconciler error {"controller": "policy", "request": "<namespace>/<policy-name>", "error": "cannot delete policy due to existing PolicyAttachment '<policyattachment>/<namespace>'"}

Right now it is mandatory to define namespace in the TargetReference inside the PolicyAttachment spec.

Per default it should take it's own namespace as the TargetReference namespace, and only allow for overriding manually.

Getting following error while applying namespaced scoped object

ERROR in IAM Operator :
reflector.go:153] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to list *v1beta1.User: users.aws-iam.redradrat.xyz is forbidden: User "system:serviceaccount:hkp-admin:main-aws-iam-operator" cannot list resource "users" in API group "aws-iam.redradrat.xyz" at the cluster scope

User/Role resource should have an option to map a the created resource for EKS cluster access.

Proposal:
Custom Resource User/Role should offer an option to register itself with the context cluster's AWS authentication map, and provide an option to map to an RBAC role.

apiVersion: aws-iam.redradrat.xyz/v1beta1
kind: User
metadata:
  name: user-sample
spec:
  createLoginProfile: false
  createProgrammaticAccess: true
  eksClusterMapping:
    - username: "demouser"
      groups:
        - "demo:group"
---
apiVersion: aws-iam.redradrat.xyz/v1beta1
kind: Role
metadata:
  name: role-sample
spec:
  createServiceAccount: false
  eksClusterMapping:
    - username: "demouser"
      groups:
        - "demo:group"

Instead of writing Secrets and ConfigMaps maybe we should consider triggering a hook for writing secrets elsewhere? Not sure, but a simple event hook could do the trick. Users could deploy their own service that then writes to an external store and maybe creates an ExternalSecret object within k8s to inject the secret somewhere.

Providing this feature will help in maintaining same resource names at cluster level and have environment specific aws-resource names in AWS account

Currently when we create user with createProgrammaticAccess: true. A secret gets created with access key and secret key.
We would like to have these keys autorotated after given time span.

As AWS does not allow for in-place updates of certain resources (Role, PolicyAttachment, ...) we currently delete the previous resource, and recreate it. This might cause issues, when hitting resource limits?

How to make this safe? The point is, if this happens in production due to something triggering the re-creation, this might leave a Role uncreated and cause services, using this role, to fail. Not sure about it...

We need to create aws saml IdP for keycloak.

With aws cli this is how we create saml idp:
aws iam create-saml-provider --saml-metadata-document file:///<filepath> --name <idp-name>

Proposal:
New custom resource for idp creation should be implemented, with input file saml-metadata-document

IAM resources should be taggable via the CR

Please allow setting Maximum session duration for IAM Role

Steps to reproduce:

1. create assumerolepolicy: assumerolepolicy-sample
2. create a role role-sample with

assumeRolePolicyRef:
    name: assumerolepolicy-sample

3. now update assumerolepolicy-sample

Here it does not actually update role-sample's trust policy

Also if assumerolepolicy is deleted, there is no impact on role(ideally if assumerolepolicy is attached to role, it should be restricted from deletion)

While attaching the policy to user controller gives error and policy doesn't get attached. Users and Policies tested independently and no issue with them. Attachment of Policy to Role also works.

File:

apiVersion: aws-iam.redradrat.xyz/v1beta1
kind: PolicyAttachment
metadata:
  name: policyattachment-sample-dpy
  namespace: capabilities
spec:
  policy:
    name: policy-sample-test-dpy
    namespace: capabilities
  target:
    type: User
    name: user-dpy
    namespace: capabilities

Error on controller:
ERROR controller-runtime.controller Reconciler error {"controller": "policyattachment", "request": "default/policyattachment-sample-dpy", "error": "defined references do not exist for PolicyAttachment 'policyattachment-sample-dpy/default"}

Currently iam object should be deleted in following order in order to get them cleaned properly in k8s cluster-

policyattachment
policy
role/user
assumerolepolicy

If we shuffle the above mentioned objects order in deletion it stuck and we have to patch the finalizer and have to remove manually iam objects e.g role/user in AWS Console.

I cant find tags around this and that would be super nice.

When deleting a policy that does not exist in aws anymore, the operator is blocking. It should see this as success.

Hello, we, company Yad2 from Israel, want to use your project "aws-iam-operator" for infrastructure as a code. We have two problems for this: when you delete the cluster, all users and groups and everything that we have created are also deleted. The second problem is the inability to delete an object after receiving an error. Maybe you have a solution? thanks.

Trying to import github.com/redradrat/aws-iam-operator/api/v1beta1 and build returns the following error

# github.com/redradrat/aws-iam-operator/api/v1beta1
../../go/pkg/mod/github.com/redradrat/aws-iam-operator@v0.4.0/api/v1beta1/assumerolepolicy_helpers.go:28:15: cannot use entry.Conditions.Normalize() (value of type map[string]map[string]string) as map[string]map[string][]string value in struct literal
../../go/pkg/mod/github.com/redradrat/aws-iam-operator@v0.4.0/api/v1beta1/assumerolepolicy_helpers.go:51:15: cannot use entry.Conditions.Normalize() (value of type map[string]map[string]string) as map[string]map[string][]string value in struct literal
../../go/pkg/mod/github.com/redradrat/aws-iam-operator@v0.4.0/api/v1beta1/policy_helpers.go:49:15: cannot use entry.Conditions.Normalize() (value of type map[string]map[string]string) as map[string]map[string][]string value in struct literal
../../go/pkg/mod/github.com/redradrat/aws-iam-operator@v0.4.0/api/v1beta1/role_helpers.go:32:15: cannot use entry.Conditions.Normalize() (value of type map[string]map[string]string) as map[string]map[string][]string value in struct literal

Same error on both v0.3.7 and v0.4.0

Sample code

package main

import (
	iamv1beta1 "github.com/redradrat/aws-iam-operator/api/v1beta1"
)

func main() {
	_ = iamv1beta1.Role{}
}