pre · November 13, 2024 12:05
diff --git a/irsa-iam.json b/irsa-iam.json
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::MY_AWS_ACCOUNT_ID:oidc-provider/MY_PROVIDER_URL"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc-metadata.dt.ag-dev.shoot.canary.k8s-hana.ondemand.com:aud": "sts.amazonaws.com",
          "oidc-metadata.dt.ag-dev.shoot.canary.k8s-hana.ondemand.com:sub": "system:serviceaccount:lolcat-test:aws-cli"
        }
      }
    }
  ]
 }
diff --git a/k8s.yaml b/k8s.yaml
 # 
 # kubectl create token -n lolcat-test aws-cli --duration=1h --audience=sts.amazon.com
 #
 apiVersion: v1
 kind: Namespace
 metadata:
  name: lolcat-test
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: aws-cli
  namespace: lolcat-test
 ---
 apiVersion: v1
 kind: Pod
 metadata:
  name: aws-cli-1
  namespace: lolcat-test
 spec:
  serviceAccountName: aws-cli
  containers:
  - name: aws-cli
    image: amazon/aws-cli
    command:
    - sleep
    - "360000"
    env:
    - name: AWS_ROLE_ARN
      value: arn:aws:iam::MY_AWS_ACCOUNT_ID:role/MY_IAM_ROLE_NAME
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: /var/run/secrets/aws/serviceaccount/token
    volumeMounts:
    - mountPath: /var/run/secrets/aws/serviceaccount
      name: aws-iam-token
      readOnly: true
  volumes:
  - name: aws-iam-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.amazonaws.com
          expirationSeconds: 1200
          path: token
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Federated": "arn:aws:iam::MY_AWS_ACCOUNT_ID:oidc-provider/MY_PROVIDER_URL"
	},
	"Action": "sts:AssumeRoleWithWebIdentity",
	"Condition": {
	"StringEquals": {
	"oidc-metadata.dt.ag-dev.shoot.canary.k8s-hana.ondemand.com:aud": "sts.amazonaws.com",
	"oidc-metadata.dt.ag-dev.shoot.canary.k8s-hana.ondemand.com:sub": "system:serviceaccount:lolcat-test:aws-cli"
	}
	}
	}
	]
	}
	#
	# kubectl create token -n lolcat-test aws-cli --duration=1h --audience=sts.amazon.com
	#
	apiVersion: v1
	kind: Namespace
	metadata:
	name: lolcat-test
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: aws-cli
	namespace: lolcat-test
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: aws-cli-1
	namespace: lolcat-test
	spec:
	serviceAccountName: aws-cli
	containers:
	- name: aws-cli
	image: amazon/aws-cli
	command:
	- sleep
	- "360000"
	env:
	- name: AWS_ROLE_ARN
	value: arn:aws:iam::MY_AWS_ACCOUNT_ID:role/MY_IAM_ROLE_NAME
	- name: AWS_WEB_IDENTITY_TOKEN_FILE
	value: /var/run/secrets/aws/serviceaccount/token
	volumeMounts:
	- mountPath: /var/run/secrets/aws/serviceaccount
	name: aws-iam-token
	readOnly: true
	volumes:
	- name: aws-iam-token
	projected:
	defaultMode: 420
	sources:
	- serviceAccountToken:
	audience: sts.amazonaws.com
	expirationSeconds: 1200
	path: token