Wondering if anyone have used AWS podidentities as a viable alternative to the Vault Kubernetes authentication?
The advantage is once the number of clusters you manages scales , we can avoid the overhead of maintaining the vault k8s auth configuration updated.
The pod identitiy service account tokens and the aws session token further in has got the cluster name, namespace and services account name as tags as part of the claims.
Open questions are:
How to use this information validated using a backchannel communication in an authentication flow?
The AWS endpoints that we need to use for this flow?
The choice of auth methods we can use for this if this is feasible (aws, oidc, jwt..)?