Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create component for configuring IAM roles for IRSA #1495

Open
flostadler opened this issue Nov 18, 2024 · 1 comment
Open

Create component for configuring IAM roles for IRSA #1495

flostadler opened this issue Nov 18, 2024 · 1 comment
Labels
impact/usability Something that impacts users' ability to use the product easily and intuitively kind/enhancement Improvements or new features

Comments

@flostadler
Copy link
Contributor

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Users can use IRSA (IAM Roles for Service Accounts) to assign IAM roles to kubernetes workloads. This requires crafting rather complex assume role permissions (see).

They need to create an OIDC provider and then retrieve its ARN and URL to configure the trust relationship of the role. This will look like this:

const saAssumeRolePolicy = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: ["sts:AssumeRoleWithWebIdentity"],
conditions: [{
test: "StringEquals",
values: [pulumi.interpolate`system:serviceaccount:${appsNamespaceName}:${saName}`],
variable: pulumi.interpolate`${cluster.oidcIssuer}:sub`,
}],
effect: "Allow",
principals: [{
identifiers: [cluster.oidcProviderArn],
type: "Federated",
}],
}],
});
const saRole = new aws.iam.Role(saName, {
assumeRolePolicy: saAssumeRolePolicy.json,
});
// Attach the S3 read only access policy.
const saS3Rpa = new aws.iam.RolePolicyAttachment(saName, {
policyArn: "arn:aws:iam::aws:policy/AmazonS3FullAccess",
role: saRole,
});

Instead of users to now about the exact format, we could create a component that wraps that.

For example:

const irsaRole = new eks.IrsaRole("role", {
    cluster: eksCluster, // or cluster name alternatively
    serviceAccounts: [{
        namespace: "default",
        serviceAccount: "my-super-app",
    }],
});

Affected area/feature

@flostadler flostadler added the kind/enhancement Improvements or new features label Nov 18, 2024
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Nov 18, 2024
@flostadler flostadler added impact/usability Something that impacts users' ability to use the product easily and intuitively and removed needs-triage Needs attention from the triage team labels Nov 18, 2024
@jkodroff
Copy link
Member

I cannot possibly upvote this enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
impact/usability Something that impacts users' ability to use the product easily and intuitively kind/enhancement Improvements or new features
Projects
None yet
Development

No branches or pull requests

3 participants