Skip to content

Commit

Permalink
generate and specify safe role name
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulineribeyre
paulineribeyre committed Mar 28, 2024
1 parent 6a98508 commit 251283c
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 11 deletions.
25 changes: 17 additions & 8 deletions gen3/bin/iam-serviceaccount.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,16 +115,16 @@ EOF
# @return the resulting json from awscli
##
function create_role(){
local role_name="${vpc_name}-${SERVICE_ACCOUNT_NAME}-role"
local role_name="${1}"
if [[ ${#role_name} -gt 63 ]]; then
role_name=$(echo "$role_name" | head -c63)
gen3_log_warning "Role name has been truncated, due to amazon role name 64 character limit. New role name is $role_name"
fi
local assume_role_policy_path="$(create_assume_role_policy)"

gen3_log_info "Entering create_role"
gen3_log_info " ${role_name}"
gen3_log_info " ${assume_role_policy_path}"
gen3_log_info " Role: ${role_name}"
gen3_log_info " Policy path: ${assume_role_policy_path}"

local role_json
role_json=$(aws iam create-role \
Expand Down Expand Up @@ -156,8 +156,8 @@ function add_policy_to_role(){
local role_name="${2}"

gen3_log_info "Entering add_policy_to_role"
gen3_log_info " ${policy}"
gen3_log_info " ${role_name}"
gen3_log_info " Policy: ${policy}"
gen3_log_info " Role: ${role_name}"

local result
if [[ ${policy} =~ arn:aws:iam::aws:policy/[a-zA-Z0-9]+ ]]
Expand Down Expand Up @@ -198,8 +198,8 @@ function create_role_with_policy() {
local role_name="${2}"

gen3_log_info "Entering create_role_with_policy"
gen3_log_info " ${policy}"
gen3_log_info " ${role_name}"
gen3_log_info " Policy: ${policy}"
gen3_log_info " Role: ${role_name}"

local created_role_json
created_role_json="$(create_role ${role_name})" || return $?
Expand Down Expand Up @@ -357,7 +357,10 @@ function main() {

local policy_validation
local policy_source
local role_name="${vpc_name}-${SERVICE_ACCOUNT_NAME}-role"
local role_name=$ROLE_NAME
if [ -z "${role_name}" ]; then
role_name="${vpc_name}-${SERVICE_ACCOUNT_NAME}-role"
fi

if [ -z ${NAMESPACE_SCRIPT} ];
then
Expand Down Expand Up @@ -481,6 +484,12 @@ while getopts "$OPTSPEC" optchar; do
ACTION="c"
SERVICE_ACCOUNT_NAME=${OPTARG#*=}
;;
role-name)
ROLE_NAME="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
;;
role-name=*)
ROLE_NAME=${OPTARG#*=}
;;
list)
ACTION="l"
SERVICE_ACCOUNT_NAME="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
Expand Down
6 changes: 3 additions & 3 deletions gen3/bin/kube-setup-ecr-access-cronjob.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ setup_ecr_access_job() {
return 1
fi

local saName=$(gen3 api safe-name ecr-access-job-sa | head -c63)
local saName="ecr-access-job-sa"
if ! g3kubectl get sa "$saName" > /dev/null 2>&1; then
tempFile="ecr-access-job-policy.json"
cat - > $tempFile <<EOM
Expand All @@ -38,8 +38,8 @@ setup_ecr_access_job() {
]
}
EOM
local role_name
if ! role_name="$(gen3 iam-serviceaccount -c "${saName}" -p $tempFile)" || [[ -z "$role_name" ]]; then
local safe_role_name=$(gen3 api safe-name ${saName}-role | head -c63)
if ! role_name="$(gen3 iam-serviceaccount -c "${saName}" -p $tempFile --role-name $safe_role_name)" || [[ -z "$role_name" ]]; then
gen3_log_err "Failed to create iam service account"
rm $tempFile
return 1
Expand Down

0 comments on commit 251283c

Please sign in to comment.