Skip to content

Instantly share code, notes, and snippets.

@ejohn20

ejohn20/aws-eks-audit-irsa-pods.sh

Last active March 10, 2024 20:01
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ejohn20/928c6de2fa7659062c8299f49c6b6884 to your computer and use it in GitHub Desktop.
Save ejohn20/928c6de2fa7659062c8299f49c6b6884 to your computer and use it in GitHub Desktop.
Download ZIP
aws-eks-irsa-pods-audit.sh
Raw
aws-eks-audit-irsa-pods.sh
#!/bin/bash
while IFS= read -r sa_metadata; do
service_account=$(jq -r .name <<<"${sa_metadata}")
namespace=$(jq -r .namespace <<<"${sa_metadata}")
role_arn=$(jq -r .rolearn <<<"${sa_metadata}")
role_name=$(jq -r '.rolearn | split("/") | .[1]' <<<"${sa_metadata}")
echo "Service Account: system:serviceaccount:${namespace}:${service_account}"
echo "Role ARN: ${role_arn}"
echo "Policy Attachments:"
aws iam list-attached-role-policies --role-name ${role_name} | jq -r .'AttachedPolicies[].PolicyArn'
echo ""
done < <(kubectl get serviceaccounts -A -o json | jq -c '.items[] | select(.metadata.annotations."eks.amazonaws.com/role-arn" != null) | {name: .metadata.name, namespace: .metadata.namespace, rolearn: .metadata.annotations."eks.amazonaws.com/role-arn"}')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment