Last active
September 23, 2021 02:56
-
-
Save imranity/fd978c1bba8d932b0c8c1071f85795b0 to your computer and use it in GitHub Desktop.
Automatically deploy GoDaddy External Secrets Controller for SSM/Secrets Manager in K8s with IAM role for service account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -xe | |
| ## SET BASIC VARIABLES | |
| EKS_CLUSTER="dev-cluster" | |
| IAM_ROLE_NAME=eksctl-$EKS_CLUSTER-iamserviceaccount-role | |
| EXTERNAL_SECRETS_POLICY="kube-external-secrets" | |
| #### CREATE POLICY TO ACCESS SSM/Secrets Manager | |
| cat << EOF > policy.json | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "VisualEditor0", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "secretsmanager:*", | |
| "ssm:*" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| EOF | |
| aws iam create-policy --policy-name $EXTERNAL_SECRETS_POLICY --policy-document file://policy.json || true | |
| EXTERNAL_POLICY_ARN=$(aws iam list-policies | jq -r '.Policies[] | select(.PolicyName|match('\"$EXTERNAL_SECRETS_POLICY\"')) | .Arn') | |
| ### CREATE OIDC PROVIDER FOR SETTING Service Account ROLE IAM | |
| eksctl utils associate-iam-oidc-provider --region=us-west-2 --cluster=$EKS_CLUSTER --approve | |
| ### CREATE IAM ROLE FOR THAR OIDC AND ATTACH EXTERNAL SECRETS POLICY | |
| AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) | |
| OIDC_PROVIDER=$(aws eks describe-cluster --name $EKS_CLUSTER --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///") | |
| cat << EOF > trust.json | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" | |
| }, | |
| "Action": "sts:AssumeRoleWithWebIdentity", | |
| "Condition": { | |
| "StringLike": { | |
| "${OIDC_PROVIDER}:sub": "system:serviceaccount:*" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| aws iam create-role --role-name $IAM_ROLE_NAME --assume-role-policy-document file://trust.json --description "iam service account role for k8s" | |
| aws iam attach-role-policy --role-name $IAM_ROLE_NAME --policy-arn=$EXTERNAL_POLICY_ARN | |
| ROLE_IAM_EXT=$(aws iam list-roles | jq -r '.Roles[] | select(.RoleName|match('\"$IAM_ROLE_NAME\"')) | .Arn') | |
| ### FINALLY INSTALL EXTERNAL SECRETS CONTROLLER | |
| helm repo add external-secrets https://godaddy.github.io/kubernetes-external-secrets/ | |
| helm repo update | |
| helm install --namespace=default external-secrets external-secrets/kubernetes-external-secrets --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=$ROLE_IAM_EXT --set securityContext."fsGroup"=65534 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment