When is "iam:PassRole" required? #89
Description
The documentation at https://github.com/awslabs/k8s-cloudwatch-adapter/blob/v0.10.0/docs/cross-account.md suggests that the service role needs to be able to pass the target role for cross-account metrics. However, it appears that the service role need only assume the target role.
If roleArn is present in the ExternalMetric spec the client gets credentials that assume the role by calling stscreds.NewCredentials: https://github.com/awslabs/k8s-cloudwatch-adapter/blob/2dd7711adeb15b37f59cd1a05967796bdd6cdff3/pkg/aws/client.go#L41. That function uses an AssumeRoleProvider: https://github.com/aws/aws-sdk-go/blob/de0aa785c5d4efb004061153d592f8e1641f91c4/aws/credentials/stscreds/assume_role_provider.go#L257
With v0.10.0 I've managed to scale a deployment based on metrics in a separate account with a service role policy like,
Version: "2012-10-17"
Statement:
- Sid: AssumeTargetRole
Effect: Allow
Action: sts:AssumeRole
Resource: arn:aws:iam::111111111111:role/target-role
And a target role policy with,
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::222222222222:role/service-role
Action: sts:AssumeRole
Should the documentation be updated to omit the "iam:PassRole" statement?