Skip to content

Instantly share code, notes, and snippets.

@gladiatr72

gladiatr72/main.tf

Last active April 5, 2023 17:29
Show Gist options
  • Save gladiatr72/042961890d89e7141862fe278d891880 to your computer and use it in GitHub Desktop.
Save gladiatr72/042961890d89e7141862fe278d891880 to your computer and use it in GitHub Desktop.
Download ZIP
wiring an EKS cluster into an IAM/OIDC provider
Raw
main.tf
variable region {}
variable cluster {}
/*
*
*/
data aws_eks_cluster this {
name = var.cluster
}
data tls_certificate this {
url = local.oidc.issuer
}
/*
*
*/
locals {
oidc-issuer = aws_eks_cluster.this.identity.0.oidc.0.issuer
sts-endpoints = [
format("sts.%s.amazonaws.com", var.region),
"sts.amazonaws.com"
]
eks-ca-sha1 = data.tls_certificate.this.certificates.0.sha1_fingerprint
}
/*
*
*/
resource aws_iam_openid_connect_provider this {
url = local.oidc-issuer
client_id_list = local.sts-endpointsl
thumbprint_list = [local.eks-ca-sha1]
}
/*
*
*/
output cluster-ca {
value = base64decode(data.aws_eks_cluster.this.certificate_authority.0.data)
}
output cluster-ca-fingerprint {
value = local.eks-ca-sha1
}
Raw
notes.md

This list works backwards from the service account for valero

  • verify the role-granting annotation on the valero serviceAccount
    • eks-amazonaws.com/role-arn: arn:aws:iam::[account]:role/[role name]
  • verify the trust document attached to that IAM role
    • the Principal.Federated value is the OIDC connector ID from your EKS cluster
      • every EKS cluster that needs access to this role needs to have its connector ID included
    • each namespace/serviceAccount must be included in the conditional
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "dev01",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::[account]:oidc-provider/oidc.eks.[az].amazonaws.com/id/..."
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.[az].amazonaws.com/id/...:sub": "system:serviceaccount:[kube namespace]:[kube service-account-name]",
                    "oidc.eks.[az].amazonaws.com/id/...:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
  • verify the eks cluster is wired into a properly configured IAM/Identity Provider
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment