Enable Dynamic S3 Role Selection Based on User OIDC Claims #1000
Description
Currently, Onyxia supports configuring a single static S3 role per S3 configuration in the values.yaml under the sts configuration. This role is hardcoded and used by all users in the region.
Problem:
In some real-world scenarios, a single user may need to assume different S3 roles, each with different permissions.
The main use case is when users belong to multiple sensitive projects and have access to different data sources, but are not allowed to merge or cross-analyze data between them. Dynamic S3 role selection ensures that each project’s data access is kept strictly separate, with users explicitly choosing the role (and permissions) they need for each session.
Today, there's no mechanism in Onyxia for a user to dynamically select which S3 role to assume during their session.
No implementation of Onyxia asked for that feature but I think it may be interesting to have it at some point.