This module creates an IAM role which can be assumed by pods in your cluster, provided access to AWS resources for your application. Without creating a role for your service account, your pods will be limited to the permissions available to the nodes running in the cluster.
Roles created by this module IAM role suitable for use in an EKS cluster using IRSA. This module relies on Flightdeck's SSM parameter conventions to find the OIDC provider for the assigned clusters.
To use this role, you must provide:
- A list of cluster names from which this role will be assumable
- A list of service account names in
namespace:serviceaccountformat - A unique name for the created IAM role
Additionally, you may provide policy documents which will be attached directly to the role as well as ARNs for managed policies.
Example:
module "role" {
source = "github.com/thoughtbot/flightdeck//aws/service-account-role"
# Must match the names of clusters created using the [cluster module]
cluster_names = ["mycluster-production-v1", "mycluster-production-v2"]
name = "myservice-production"
service_accounts = ["myservice-production:myservice"]
# If you have modules which produce managed policies, you can attach them here
managed_policy_arns = [
module.custom.policy_arn
]
}
You can combine this module with the service account policy module to grant access to AWS services for your pods.
| Name | Version |
|---|---|
| terraform | >= 0.14.8 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Type |
|---|---|
| aws_iam_role.this | resource |
| aws_iam_role_policy.inline | resource |
| aws_iam_role_policy_attachment.managed | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.inline_policy | data source |
| aws_partition.current | data source |
| aws_ssm_parameter.oidc_issuer | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_names | Names of Kubernetes clusters (to look up OIDC issuers) | list(string) |
[] |
no |
| managed_policy_arns | List of managed policy ARNs to attach to the role | list(string) |
[] |
no |
| name | Name for the role | string |
n/a | yes |
| namespace | Prefix to be applied to created resources | list(string) |
[] |
no |
| oidc_issuers | OIDC issuers for Kubernetes clusters | list(string) |
[] |
no |
| policy_documents | List of policy documents to add to the role's inline policy | list(string) |
[] |
no |
| service_accounts | Namespace and name of service accounts allowed to use this role | list(string) |
n/a | yes |
| tags | Tags to be applied to created resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| arn | The ARN of the created role |
| instance | The created role |
| name | The name of the created role |