Skip to content

Feature Request: Expose ALB ARN to workloads in a Kubernetes-friendly way (for ALB-auth JWT pinning) #4351

New issue
New issue
Open
Open
Feature Request: Expose ALB ARN to workloads in a Kubernetes-friendly way (for ALB-auth JWT pinning)#4351
@pergardebrink

Description

@pergardebrink
pergardebrink
opened on Sep 24, 2025

Describe the feature you are requesting
Provide a Kubernetes-native, declarative way for workloads to consume the ALB ARN created for an Ingress/IngressGroup—without custom jobs or external controllers.

Motivation
When using ALB authentication (e.g., Cognito/OIDC), applications receive a JWT via x-amzn-oidc-data. Best practice is to verify the token and pin it to the expected ALB by checking the JWT header’s signer (the ALB’s ARN). Since this is not possible to know in advance, there needs to be a way to get this reflected somewher.

Describe the proposed solution you'd like
Provide an opt-in annotation where the load balancer controller could write back the ARN. For example a config map or secret.

For humans, it would be nice to get the ARN written back, just as we get the hostname today

status:
  loadBalancer:
    ingress:
      - hostname: internal-…elb.amazonaws.com
  alb:
    arn: arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/…
    region: eu-west-1
    name: k8s-my-loadbalancer-…

For workloads that would consume it, giving it back as a secret or configmap so I can hook it up as an environment variable for example (with reload on change needed of course):

metadata:
  annotations:
    alb.ingress.kubernetes.io/expose-arn: "configmap"     # or "secret"
    alb.ingress.kubernetes.io/expose-arn.name: "alb-info"

Example configmap generated:

kind: ConfigMap
metadata:
  name: alb-info
  ownerReferences: [points to the Ingress] 
data:
  arn: arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/…
  region: eu-west-1
  hostname: internal-…elb.amazonaws.com

Describe alternatives you've considered
Manually updating the ARN in my code by finding the created ALB is really hacky. I could have some post-job that detects and updates it, but I think my use-case should be quite common and not really sure how othera are solving this?

Contribution Intention (Optional)
I might be able to do it, depending on the solution.
-[x] Yes, I am willing to contribute a PR to implement this feature
-[ ] No, I cannot work on a PR at this time

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions