Authenticate to AWS with dedicated role without AssumeRole permissions

[nissanitz]

currently anyone who working with ASW scaler has 2 different ways to authenticate to AWS:
https://github.com/kedacore/keda/blob/2de3a4c2e08ad76d8939357456588259f088c752/pkg/scalers/aws_iam_authorization.go

1. awsRoleArn - and give to Keda operator assume role permissions (aws-kiam provider)
2. Configure awsAccessKeyId and awsSecretAccessKey

there is should be another way to authenticate with dedicated role to Keda operator without assume role permissions.

Use-Case

Granting minimum permissions without sts:AssumeRole permissions
for example if we want to work with AWS SQS scaler the role to operator should has this permission:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": "sqs:GetQueueAttributes",
        "Resource": "arn:aws:sqs:your_aws_account_number:your_region:your_sqs_queue"
    }]
}

Specification

• Set new PodIdentityProvider and if configure use default operator role
• Or if awsAccessKeyId, awsSecretAccessKey or awsRoleArn not configured operator will use default authentication to AWS.

[tomkerkhove]

If we add this this would more a different type of authentication rather than Pod Identity Provider given the pod no longer has an identity but permissions are assigned on KEDA operator itself, no?

[nissanitz]

True, the implementation may need to contain another property in the ScaledObject resource under Triggers.Metadata to AWS scalers which tells to Keda operator use the permissions which assigned to him. Something like podIdentity if set false use permissions are assigned on KEDA operator itself, if true the behavior will remain as it is today. True is default.

for example

apiVersion: keda.k8s.io/v1alpha1
kind: ScaledObject
spec:
  triggers:
  - metadata:
      **podIdentity: false**
      awsRegion: <REGION>
      queueLength: <LENGTH>
      queueURL: <URL>
    type: aws-sqs-queue

If that sounds good to you, I can get started to work on PR