Skip to content

Latest commit

 

History

History
70 lines (58 loc) · 1.42 KB

README.md

File metadata and controls

70 lines (58 loc) · 1.42 KB

Module to create an IAM role for use with AWS IAM Roles for Service Accounts

Usage

module "iam_role" {
  source = "https://github.com/Ticketmaster/terraform-module-eks-iam-role.git"
  role_name = "my-cross-account-role"
  eks_cluster_name = "my-eks-cluster"
  service_account_name = "myapp-serviceaccount"
  service_account_namespace = "default"
  iam_policy = "${data.aws_iam_policy_document.example.json}"
}

data "aws_iam_policy_document" "example" {
  statement {
    sid = "1"

    actions = [
      "s3:ListAllMyBuckets",
      "s3:GetBucketLocation",
    ]

    resources = [
      "arn:aws:s3:::*",
    ]
  }

  statement {
    actions = [
      "s3:ListBucket",
    ]

    resources = [
      "arn:aws:s3:::${var.s3_bucket_name}",
    ]

    condition {
      test     = "StringLike"
      variable = "s3:prefix"

      values = [
        "",
        "home/",
        "home/&{aws:username}/",
      ]
    }
  }

  statement {
    actions = [
      "s3:*",
    ]

    resources = [
      "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}",
      "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*",
    ]
  }
}

You'll also need to create a Service account on your cluster:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME