Service Account custom attributes

Is there any way to add custom attributes (claims) to a Service Account? Specifically I am looking for a way that when Namespace1.ServiceA makes a request to Namespce2.ServiceB, SerivceB can identify who (which service) is making that call and act accordingly. Previously we were using a JwtToken with each request to build a identity but I am hoping that we can replace that flow with something from Istio. I can read the namespace and service account from the x-forwarded-client-cert header and then reading the URI subelement and parsing that URI. While this works, it feels like that is not the intended use of that header and I am worried about relying on something like that. Basically I am hoping that Istio can inject a set of custom attributes based on the config of the service account or some other means.

Thanks.

what custom attributes do you have in mind to associate with service account? We are hesitating adding additional attributes to certificate which may make key/cert provisioning over complicated and affect our security guarantee, and we’d like each attribute put in certificate are strongly verified. Our general recommendation is to use JWT to carry additional attributes, and bind them to service account that can avoid replay attack.

@liminwang
@Tao_Li

I’m speaking specifically of service to service communication. In my scenario there will be pods running in one namespace that will be from non-trusted or at least less-trusted sources. Those services will be making calls to trusted (my) services in another namespace. One of the things that I am wanting to use Istio for is to all me to assign an identity (ServiceAccount) to a pod that is external to the container that is running inside it. This is working beautifully and I am able to determine the service-account and namespace by parsing the http headers in my trusted service. You mentioned binding a jwt token to a service account, is there a way I can do this transparently to the container making the request? I am not sure I explained this well, let me know if there are more questions.

If I understand correctly, you want your service to be able to determine the identity of the caller by parsing an HTTP header in the request, ideally set by Istio, without the client having to do anything special to manage its own identity. Is just the name and namespace of the client enough for your purposes, or are there other attributes you would need to know about the client?

Yes. I am currently able to determine the namespace and service account assigned to that service by parsing the URI in the x-forwarded-client-cert http header. I was hoping Istio could attach some additional attributes i.e. claims that are effectively attached to the service account. If this isn’t possible I can look them up via the namespace/service account combination.