Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creation of IAM Roles with trust policy for Cluster's OIDC Provider #1042

Open
1 task
vpopiolrccl opened this issue Jul 14, 2024 · 3 comments
Open
1 task

Creation of IAM Roles with trust policy for Cluster's OIDC Provider #1042

vpopiolrccl opened this issue Jul 14, 2024 · 3 comments
Labels
feature

Comments

@vpopiolrccl
Copy link

Describe the feature

When creating a cluster, provisioning IAM roles using the CreateRoleProvider, it would be great to be able to provide a trust policy for the cluster's OIDC provider.

Alternatively, the roles could be created in a separate task but how could the cluster's OIDC provider be accessed to build the trust policy?

Use Case

For workloads to be deployed to the clusters, there will be service accounts that will be annotated with IAM roles that specify the permissions for those workloads. Those roles could be created as part of the cluster's blueprint, with a trust policy for the cluster's OIDC provider.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request

CDK version used

2.146.0

EKS Blueprints Version

1.15.1

Node.js Version

21.6.1

Environment details (OS name and version, etc.)

MacOS 14.5
@shapirov103
Copy link
Collaborator

@vpopiolrccl assumedBy parameter to the constructor defines the trust policy for roles. You can use CompositePrincipal to add more than a single principal. According to the CDK documentation, you can further tweak the trust policy by accessing the assumeRolePolicy post creation, this will require creating a subclass for the CreateRoleProvider and overriding the provider method.
For IRSA or Pod identity you can use EKS Pod Identity add-on and use roles without the OIDC trust relationship with pods.

Hope it helps.

@vpopiolrccl
Copy link
Author

Thanks so much, @shapirov103 . I ended up using an extended CreateRoleProvider and inside the provider, I'm using the eks.CfnPodIdentityAssociation construct to associate the role with a service account

@JonVDB
Copy link

JonVDB commented Aug 6, 2024
edited
Loading

Thanks so much, @shapirov103 . I ended up using an extended CreateRoleProvider and inside the provider, I'm using the eks.CfnPodIdentityAssociation construct to associate the role with a service account

@vpopiolrccl Hey! Do you happen to have an example of this extended CreateRoleProvider with eks.CfnPodIdentityAssociation that you are using? I have a similar issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JonVDB @shapirov103 @vpopiolrccl