callum-p/external-dns-trust.json.tpl

## external-dns-trust.json.tpl
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::$AWS_ACCOUNT_ID:role/$KIAM_ROLE_NAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

## kiam-install.sh
# annotate namespace kube-system and default to allow iam role assumptions
kubectl annotate namespace kube-system iam.amazonaws.com/permitted=".*" --overwrite
kubectl annotate namespace default iam.amazonaws.com/permitted=".*" --overwrite

# setup json policies with variables
envsubst '$AWS_ACCOUNT_ID $CLUSTER_NAME'  < ./.docker/scripts/addons/kiam/trust.json.tpl > ./.docker/scripts/addons/kiam/trust.json

# create kiam server role if it doesn't exist
while ! aws iam get-role --role-name masters.$CLUSTER_NAME; do
  echo "Waiting for masters role to be created..."
  sleep 5
done

aws iam get-role --role-name $KIAM_ROLE_NAME > /dev/null || \
  aws iam create-role --role-name $KIAM_ROLE_NAME --assume-role-policy-document file://./.docker/scripts/addons/kiam/trust.json
# update the kiam trust policy in case it already exists
aws iam update-assume-role-policy --role-name $KIAM_ROLE_NAME --policy-document file://./.docker/scripts/addons/kiam/trust.json

# assign the kiam iam policy to the role
aws iam put-role-policy --role-name $KIAM_ROLE_NAME --policy-name kiam --policy-document file://./.docker/scripts/addons/kiam/kiam_server_policy.json

## kiam_server_policy.json
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "sts:AssumeRole"
     ],
     "Resource": [
       "*"
     ]
   }
 ]
}

## trust.json.tpl
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/masters.$CLUSTER_NAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "",
	"Effect": "Allow",
	"Principal": {
	"Service": "ec2.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
	},
	{
	"Sid": "",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::$AWS_ACCOUNT_ID:role/$KIAM_ROLE_NAME"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}
	# annotate namespace kube-system and default to allow iam role assumptions
	kubectl annotate namespace kube-system iam.amazonaws.com/permitted=".*" --overwrite
	kubectl annotate namespace default iam.amazonaws.com/permitted=".*" --overwrite

	# setup json policies with variables
	envsubst '$AWS_ACCOUNT_ID $CLUSTER_NAME' < ./.docker/scripts/addons/kiam/trust.json.tpl > ./.docker/scripts/addons/kiam/trust.json

	# create kiam server role if it doesn't exist
	while ! aws iam get-role --role-name masters.$CLUSTER_NAME; do
	echo "Waiting for masters role to be created..."
	sleep 5
	done

	aws iam get-role --role-name $KIAM_ROLE_NAME > /dev/null \|\| \
	aws iam create-role --role-name $KIAM_ROLE_NAME --assume-role-policy-document file://./.docker/scripts/addons/kiam/trust.json
	# update the kiam trust policy in case it already exists
	aws iam update-assume-role-policy --role-name $KIAM_ROLE_NAME --policy-document file://./.docker/scripts/addons/kiam/trust.json

	# assign the kiam iam policy to the role
	aws iam put-role-policy --role-name $KIAM_ROLE_NAME --policy-name kiam --policy-document file://./.docker/scripts/addons/kiam/kiam_server_policy.json