Proposal

The current implementation for role assumption in KEDA, particularly when overriding AWS roles via pod identity mechanisms or the awsRoleArn trigger authentication environment variable, relies on using the KEDA operator's IAM role. This process requires granting specific permissions to the KEDA operator's role to assume the designated AWS role. Additionally, it necessitates configuring the trust relationship on the target role to allow this assumption. While effective in environments utilizing kube2iam, this methodology introduces additional, and potentially unnecessary, configuration steps in IRSA setup.

We propose a change to the role assumption process in KEDA for AWS. This improvement involves enabling KEDA to assume AWS roles directly by utilizing OpenID Connect (OIDC) and federation mechanisms. This approach would allow KEDA to bypass the current requirement of configuring the operator's role with additional permissions for role assumption.

Use-Case

No response

Is this a feature you are interested in implementing yourself?

Yes

Anything else?

No response