Last active
April 4, 2022 19:05
-
-
Save SamuelBagattin/f5f2e9c497a5e189ab557a3b3be8adcf to your computer and use it in GitHub Desktop.
Code samples associated to...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create the trust policy for the role associated to the app | |
| data "aws_iam_policy_document" "my_pod_role_trusted_identities" { | |
| statement { | |
| # Allow through AssumeRoleWithWebIdentity | |
| actions = ["sts:AssumeRoleWithWebIdentity"] | |
| effect = "Allow" | |
| # Only if the requester is authenticated with the service-account "my-serviceaccount" in the namespace "default" | |
| condition { | |
| test = "StringEquals" | |
| variable = "${replace(aws_iam_openid_connect_provider.eks_cluster.url, "https:#", "")}:sub" | |
| values = ["system:serviceaccount:default:my-serviceaccount"] | |
| } | |
| # Allow assuming the role through the previously created OIDC provider | |
| principals { | |
| identifiers = [aws_iam_openid_connect_provider.eks_cluster.arn] | |
| type = "Federated" | |
| } | |
| } | |
| } | |
| # Create the IAM role and grant it permissions | |
| resource "aws_iam_role" "my_pod_role" { | |
| assume_role_policy = data.aws_iam_policy_document.my_pod_role_trusted_identities.json | |
| name = "my-pod-role" | |
| inline_policy { | |
| name = "s3ListAllMyBuckets" | |
| policy = data.aws_iam_policy_document.my_pod_role_policy.json | |
| } | |
| } | |
| data "aws_iam_policy_document" "my_pod_role_policy" { | |
| statement { | |
| # S3 list all my buckets | |
| actions = ["s3:ListAllMyBuckets"] | |
| effect = "Allow" | |
| resources = ["*"] | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment