EKS IAM Role Assume Role Policy for Kubernetes Service Accounts
This Terraform module can be used to create Assume Role policies for IAM Roles such that they can be used with Kubernetes Service Accounts. This requires a compatible EKS cluster that supports the IAM Roles for Service Accounts feature.
See the corresponding section of the eks-cluster-control-plane module README for information on how to set up IRSA and how it works.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-IAM-ROLE-ASSUME-ROLE-POLICY-FOR-SERVICE-ACCOUNT MODULE
# ------------------------------------------------------------------------------------------------------
module "eks_iam_role_assume_role_policy_for_service_account" {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-iam-role-assume-role-policy-for-service-account?ref=v0.72.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# ARN of the OpenID Connect Provider provisioned for the EKS cluster.
eks_openid_connect_provider_arn = <string>
# URL of the OpenID Connect Provider provisioned for the EKS cluster.
eks_openid_connect_provider_url = <string>
# The Kubernetes Namespaces that are allowed to assume the attached IAM Role.
# Only one of `var.namespaces` or `var.service_accounts` can be set. If both
# are set, you may end up with an impossible rule! If both are set to null,
# then this will allow all namespaces and all service accounts.
namespaces = <list(string)>
# The Kubernetes Service Accounts that are allowed to assume the attached IAM
# Role. Only one of `var.namespaces` or `var.service_accounts` can be set. If
# both are set, you may end up with an impossible rule! If both are set to
# null, then this will allow all namespaces and all service accounts.
service_accounts = <list(object(
name = string
namespace = string
))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The string operator to use when evaluating the AWS IAM condition for
# determining which Service Accounts are allowed to assume the IAM role.
# Examples: StringEquals, StringLike, etc.
service_accounts_condition_operator = "StringEquals"
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-IAM-ROLE-ASSUME-ROLE-POLICY-FOR-SERVICE-ACCOUNT MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-iam-role-assume-role-policy-for-service-account?ref=v0.72.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# ARN of the OpenID Connect Provider provisioned for the EKS cluster.
eks_openid_connect_provider_arn = <string>
# URL of the OpenID Connect Provider provisioned for the EKS cluster.
eks_openid_connect_provider_url = <string>
# The Kubernetes Namespaces that are allowed to assume the attached IAM Role.
# Only one of `var.namespaces` or `var.service_accounts` can be set. If both
# are set, you may end up with an impossible rule! If both are set to null,
# then this will allow all namespaces and all service accounts.
namespaces = <list(string)>
# The Kubernetes Service Accounts that are allowed to assume the attached IAM
# Role. Only one of `var.namespaces` or `var.service_accounts` can be set. If
# both are set, you may end up with an impossible rule! If both are set to
# null, then this will allow all namespaces and all service accounts.
service_accounts = <list(object(
name = string
namespace = string
))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The string operator to use when evaluating the AWS IAM condition for
# determining which Service Accounts are allowed to assume the IAM role.
# Examples: StringEquals, StringLike, etc.
service_accounts_condition_operator = "StringEquals"
}
Reference
- Inputs
- Outputs
Required
ARN of the OpenID Connect Provider provisioned for the EKS cluster.
URL of the OpenID Connect Provider provisioned for the EKS cluster.
namespaces
list(string)The Kubernetes Namespaces that are allowed to assume the attached IAM Role. Only one of <a href="#namespaces"><code>namespaces</code></a>
or <a href="#service_accounts"><code>service_accounts</code></a>
can be set. If both are set, you may end up with an impossible rule! If both are set to null, then this will allow all namespaces and all service accounts.
service_accounts
list(object(…))The Kubernetes Service Accounts that are allowed to assume the attached IAM Role. Only one of <a href="#namespaces"><code>namespaces</code></a>
or <a href="#service_accounts"><code>service_accounts</code></a>
can be set. If both are set, you may end up with an impossible rule! If both are set to null, then this will allow all namespaces and all service accounts.
list(object({
name = string
namespace = string
}))
Optional
The string operator to use when evaluating the AWS IAM condition for determining which Service Accounts are allowed to assume the IAM role. Examples: StringEquals, StringLike, etc.
"StringEquals"
JSON value for IAM Role Assume Role Policy that allows Kubernetes Service Account to inherit IAM Role.