Support IAM Roles for Service Accounts (IRSA) #424
Description
The operator helm chart is the recommended way for installing mattermost in Kubernetes; however, I am not able to use an IAM Role for access to S3:
- AWS API Keys are considered a security risk and bad practice.
- Installing on Kubernetes and using the S3 backend, it's likely they are running EKS.
I see the mattermost itself supports IAM Roles:
I believe it falls back to role-based authentication if credentials are not supplied. I think minimal changes would be required to support IRSA:
- When creating the service account for mattermost, allow it to be annotated from the operator installation manifest:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/mattermost
- Don't require the secret in the installation manifest and leave it unset to the deployment as mentioned in the document above. Currently unsetting it generates this error in the operator:
time="2025-07-27T09:55:53Z" level=error msg="[opr] Reconciler error" Mattermost=mattermost/mattermost controller=mattermost controllerGroup=installation.mattermost.com controllerKind=Mattermost error="Secret \"\" not found" name=mattermost namespace=mattermost reconcileID=10caea8f-3543-4bb6-8f42-be8b3190cdd6
The service account annotation will mount the token and handle authentication using the default credential provider using the role.
Let me know if you have further questions and thanks!