Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A script to create an IAM role with full S3 access linked to a service account in Kubernetes
CLUSTER_NAME=`eksctl get cluster --region ap-southeast-2 -o json | jq -r '.[0].name'`
ISSUER_URL=$(aws eks describe-cluster \
--name $CLUSTER_NAME \
--query cluster.identity.oidc.issuer \
--output text \
--region ap-southeast-2)
ISSUER_HOSTPATH=$(echo $ISSUER_URL | cut -f 3- -d'/')
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
cat > irp-trust-policy.json << EOF
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Federated": "$PROVIDER_ARN"
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${ISSUER_HOSTPATH}:sub": "system:serviceaccount:ns-utils:s3fullaccess"
aws iam create-role \
--role-name $ROLE_NAME \
--assume-role-policy-document file://irp-trust-policy.json
aws iam update-assume-role-policy \
--role-name $ROLE_NAME \
--policy-document file://irp-trust-policy.json
aws iam attach-role-policy \
--role-name $ROLE_NAME \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
S3_ROLE_ARN=$(aws iam get-role \
--role-name $ROLE_NAME \
--query Role.Arn --output text)
kubectl create sa s3fullaccess -n ns-utils
kubectl annotate sa s3fullaccess -n ns-utils$S3_ROLE_ARN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment