Skip to content

docs(mesh): AWS IAM workload validation ECS #3593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Automaat wants to merge 5 commits into
base: main
Choose a base branch
from
+31 −2
Open

docs(mesh): AWS IAM workload validation ECS #3593

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2226ddc
docs(mesh): AWS IAM workload label validation ECS
Automaat Dec 1, 2025
102f93d
fix(mesh): use modern admonition syntax
Automaat Dec 1, 2025
61bcfa6
fix(mesh): escape liquid template syntax in ecs.md
Automaat Dec 1, 2025
fb691e4
fix(mesh): correct MeshIdentity link paths
Automaat Dec 1, 2025
4db81f7
fix(mesh): rm broken MeshIdentity links
Automaat Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 31 additions & 2 deletions app/mesh/ecs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,9 @@ In particular, every role must be tagged at a minimum with `kuma.io/type` set to
either `dataplane`, `ingress`, or `egress`. For `dataplane`, i.e. a normal data
plane proxy, the `kuma.io/mesh` tag is also required to be set.

This means that the setting of these two tags on IAM roles
{% new_in 2.13 %} When using `MeshIdentity` with the `kuma.io/workload` label in its SPIFFE ID path template (e.g., `{% raw %}{{ label "kuma.io/workload" }}{% endraw %}`), the IAM role must also include a matching `kuma.io/workload` tag. This validation is enforced to ensure secure identity binding between IAM roles and dataplanes when workload labels are used.

This means that the setting of these tags on IAM roles
must be restricted accordingly for your AWS account
(which must be explicitly given to the CP, see below).

Expand Down Expand Up @@ -233,7 +235,34 @@ It must always have the `kuma.io/type` tag set to either `"dataplane"`,
`"ingress"`, or `"egress"`.

If it's a `"dataplane"` type, then it must also have the `kuma.io/mesh` tag set.
Additionally, you can set the `kuma.io/service` tag to further restrict its identity.

{% new_in 2.13 %} When a `MeshIdentity` resource uses the `kuma.io/workload` label in its SPIFFE ID path template, the IAM role must include a `kuma.io/workload` tag that matches the dataplane's metadata labels. Ensure that:

- **For Kubernetes**: Add `kuma.io/workload` to Pod labels (automatically synced to dataplane metadata)
- **For Universal/ECS**: Add `kuma.io/workload` to dataplane metadata labels:

```yaml
type: Dataplane
mesh: default
name: dp-1
labels:
kuma.io/workload: <workload-name>
networking:
address: 127.0.0.1
inbound:
- port: 8080
tags:
kuma.io/service: backend
```

The IAM role must have a corresponding tag:

```
kuma.io/workload: <workload-name>
```

{:.info}
> This validation only applies when a `MeshIdentity` exists for the mesh and uses `kuma.io/workload` in its SPIFFE ID path template.

### Sidecar

Expand Down
Loading