Set up the IAM role like so
resource "aws_iam_role" "role" {
name = "${var.env}-${var.service}"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Sid = ""
Principal = {
Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer}"
}
},
]
})
}
resource "aws_iam_policy" "policy" {
name = "${var.env}-${var.service}"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
]
Effect = "Allow"
Resource = "*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "attachment" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}
create the service account
resource "kubernetes_service_account" "this" {
metadata {
name = var.service
namespace = var.service
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.role.arn
}
}
automount_service_account_token = true
}
data.tf
data "aws_eks_cluster" "cluster" {
name = "${var.cluster_env}-${var.cluster_name}"
}
data "aws_eks_cluster_auth" "auth" {
name = "${var.cluster_env}-${var.cluster_name}"
}
data "aws_caller_identity" "current" {}
data "aws_eks_cluster" "cluster" {
name = "${var.cluster_env}-${var.cluster_name}"
}
locals.tf
locals {
eks_oidc_issuer = trimprefix(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://")
}
providers.tf
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.auth.token
}
Configure the app to use the service account
apiVersion: apps/v1
kind: Deployment
metadata:
name: references
namespace: references
labels:
app: references
spec:
replicas: 1
selector:
matchLabels:
app: references
template:
metadata:
labels:
app: references
spec:
serviceAccountName: references
containers:
- name: references
image: nginx
ports:
- containerPort: 8501
Top comments (0)