Howdy, folks! Looking to roll out our first Mesos cluster into a production environment soonish, but running into an issue around AWS credentialing that hopefully somebody's solved in a nice and secure way. We'd like to support a 1:1 mapping between our containers and our IAM policy holders (ideally roles, but users with keys if we have to) in a way that *doesn't* allow for an owned container to impersonate whatever's granting access on the system, i.e. if application A is owned it shouldn't be able to forge a method of accessing application B's credentials.
Does this already exist? Can anyone point me in the right direction on it, or on how it'd be doable if it doesn't? (I'm not against building and open-sourcing a thing with some guidance.) (Note: obviously Amazon's ECS does this, but we'd rather not use that at this time. And the ECS/Mesos bridges I've seen aren't prod-ready.) Thanks very much! -Ed
