Skip to content

Commit

Permalink
feat: Changes to Connect to AWS S3 and KMS using IAM role for EKS ser…
Browse files Browse the repository at this point in the history 
…vice account (#186)

* added changes to implement irsa role for service account

* addressed comments

* Fixed naming conventions

---------

Co-authored-by: Aastha Gupta <[email protected]>
  • Loading branch information
@velotioaastha
velotioaastha and Aastha Gupta authored May 18, 2024
1 parent d4e01bd commit a07a45e
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 0 deletions.
20 changes: 20 additions & 0 deletions modules/app_eks/iam-policies.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,23 @@ resource "aws_iam_policy" "secrets_manager" {
name = "${var.namespace}-secrets-manager"
policy = data.aws_iam_policy_document.secrets_manager.json
}

# IAM Policy for IRSA
resource "aws_iam_policy" "irsa" {
name = "${var.namespace}-irsa-policy"
description = "IRSA IAM Policy"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:*",
"kms:*",
]
Resource = "*"
}
]
})
}
7 changes: 7 additions & 0 deletions modules/app_eks/iam-role-attachments.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,10 @@ resource "aws_iam_role_policy_attachment" "node_secrets_manager" {
role = aws_iam_role.node.name
policy_arn = aws_iam_policy.secrets_manager.arn
}

# Attach IRSA Policy to the IRSA Role
resource "aws_iam_policy_attachment" "irsa" {
name = "irsa-policy-attachment"
roles = [aws_iam_role.irsa_role.name]
policy_arn = aws_iam_policy.irsa_policy.arn
}
25 changes: 25 additions & 0 deletions modules/app_eks/iam-roles.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,29 @@
resource "aws_iam_role" "node" {
name = "${var.namespace}-node"
assume_role_policy = data.aws_iam_policy_document.node_assume.json

}

# IAM Role for IRSA
resource "aws_iam_role" "irsa" {
name = "${var.namespace}-irsa-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = ""
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${aws_iam_openid_connect_provider.eks.url}"
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringLike = {
"${aws_iam_openid_connect_provider.eks.url}:sub" = "system:serviceaccount:${var.namespace}:*"
"${aws_iam_openid_connect_provider.eks.url}:aud" = "sts.amazonaws.com"
}
}
}
]
})
}

0 comments on commit a07a45e

Please sign in to comment.