A script to create an IAM role with full S3 access linked to a service account in Kubernetes

IAM Role based Service Account Creation

#!/bin/bash

CLUSTER_NAME=`eksctl get cluster --region ap-southeast-2 -o json | jq -r '.[0].name'`
ISSUER_URL=$(aws eks describe-cluster \
                       --name $CLUSTER_NAME \
                       --query cluster.identity.oidc.issuer \
                       --output text \
                       --region ap-southeast-2)
ISSUER_HOSTPATH=$(echo $ISSUER_URL | cut -f 3- -d'/')
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
PROVIDER_ARN="arn:aws:iam::$ACCOUNT_ID:oidc-provider/$ISSUER_HOSTPATH"
cat > irp-trust-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "$PROVIDER_ARN"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${ISSUER_HOSTPATH}:sub": "system:serviceaccount:ns-utils:s3fullaccess"
        }
      }
    }
  ]
}
EOF
ROLE_NAME=s3-fullaccess-latest
aws iam create-role \
          --role-name $ROLE_NAME \
          --assume-role-policy-document file://irp-trust-policy.json
aws iam update-assume-role-policy \
          --role-name $ROLE_NAME \
          --policy-document file://irp-trust-policy.json
aws iam attach-role-policy \
          --role-name $ROLE_NAME \
          --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
S3_ROLE_ARN=$(aws iam get-role \
                        --role-name $ROLE_NAME \
                        --query Role.Arn --output text)


kubectl create sa s3fullaccess -n ns-utils
kubectl annotate sa s3fullaccess -n ns-utils eks.amazonaws.com/role-arn=$S3_ROLE_ARN