v0.22.0-stsAssumeRole

aws-provider-111111111111.yaml

---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: aws-provider-111111111111
spec:
  credentials:
    source: InjectedIdentity

aws-provider-999999999999.yaml

---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: aws-provider-999999999999
spec:
  credentials:
    source: InjectedIdentity
  assumeRoleARN: arn:aws:iam::999999999999:role/crossplane_deploy

kubectl-get-managed

## tested also via aws-cli & aws-console that the resources in the correct aws accounts
kubectl get managed
NAME                                                     READY   SYNCED   EXTERNAL-NAME
filesystem.efs.aws.crossplane.io/local-efs               True    True     fs-083004c6d90572cc7
filesystem.efs.aws.crossplane.io/remote-efs-eu-central-1 True    True     fs-05bf9b7e5970e3455
filesystem.efs.aws.crossplane.io/remote-efs-eu-west-1    True    True     fs-0ec4c7af0a998877b

NAME                                                           READY   SYNCED   STATE       ENGINE   VERSION   AGE
rdsinstance.database.aws.crossplane.io/remote-rds              True    True     available   mysql    5.6.35    30m
rdsinstance.database.aws.crossplane.io/remote-rds-us-west-2    True    True     available   mysql    5.6.35    16m

NAME                                                                      READY   SYNCED   AGE
dbsubnetgroup.database.aws.crossplane.io/sample-subnet-group              True    True     35m
dbsubnetgroup.database.aws.crossplane.io/sample-subnet-group-us-west-2    True    True     19m

NAME                                          READY   SYNCED   AGE
role.iam.aws.crossplane.io/test-local-role    True    True     44m
role.iam.aws.crossplane.io/test-remote-role   True    True     42m

list-roles.yaml

  ### create iam-role in other account that ex. IRSA role can sts:AssumeRole
  $ aws iam list-roles | grep "crossplane_deploy"
 
 {
            "Path": "/",
            "RoleName": "crossplane_deploy",
            "Arn": "arn:aws:iam::999999999999:role/crossplane_deploy",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "trustOtherAccount",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "arn:aws:iam::111111111111:root"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        }

provider-aws.yaml

apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: aws-config
  annotations:    
    ## IRSA role-arn created like describe here: 
    ## https://github.com/crossplane/provider-aws/blob/master/AUTHENTICATION.md#using-iam-roles-for-service-accounts
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/central-crossplane-prod
spec:
  args:
    - "--debug"
  podSecurityContext:
    fsGroup: 2000
  ports:
    - name: http-prom
      containerPort: 8080
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws
spec:
  package: crossplane/provider-aws:v0.22.0
  controllerConfigRef:
    name: aws-config

test-local.yaml

# aws go-sdk v1
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: local-efs
spec:
  forProvider:
    region: eu-central-1
  providerConfigRef:
    name: aws-provider-111111111111
---
# aws go-sdk v2
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
  name: test-local-role
spec:
  forProvider:
    assumeRolePolicyDocument: |
      {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "ec2.amazonaws.com",
                        "eks.amazonaws.com",
                        "eks-fargate-pods.amazonaws.com",
                        "lambda.amazonaws.com"
                    ]
                },
                "Action": [
                    "sts:AssumeRole"
                ]
            }
        ]
      }
    tags:
      - key: k1
        value: v1
  providerConfigRef:
    name: aws-provider-111111111111

test-remote.yaml

# aws go-sdk v1
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: remote-efs
spec:
  forProvider:
    region: eu-central-1
  providerConfigRef:
    name: aws-provider-999999999999
---
# aws go-sdk v1
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: remote-efs-eu-west-1
spec:
  forProvider:
    region: eu-west-1
  providerConfigRef:
    name: aws-provider-999999999999
---
# aws go-sdk v2
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
  name: test-remote-role
spec:
  forProvider:
    assumeRolePolicyDocument: |
      {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "ec2.amazonaws.com",
                        "eks.amazonaws.com",
                        "eks-fargate-pods.amazonaws.com",
                        "lambda.amazonaws.com"
                    ]
                },
                "Action": [
                    "sts:AssumeRole"
                ]
            }
        ]
      }
    tags:
      - key: k1
        value: v1
  providerConfigRef:
    name: aws-provider-999999999999
---
apiVersion: database.aws.crossplane.io/v1beta1
kind: DBSubnetGroup
metadata:
  name: sample-subnet-group
spec:
  forProvider:
    region: eu-central-1
    description: "sample group"
    subnetIds:
      - subnet-062af72f7f58f5266
      - subnet-024a7f41c5051c40b
      - subnet-00a5ce4f22c80929c
  providerConfigRef:
    name: aws-provider-999999999999
---
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: remote-rds
spec:   
  forProvider:
    allocatedStorage: 20
    autoMinorVersionUpgrade: true
    backupRetentionPeriod: 0
    caCertificateIdentifier: rds-ca-2019
    copyTagsToSnapshot: false
    dbInstanceClass: db.t3.medium
    deletionProtection: false
    enableIAMDatabaseAuthentication: false
    enablePerformanceInsights: false
    engine: mysql
    engineVersion: 5.6.35
    finalDBSnapshotIdentifier: muvaf-test
    licenseModel: general-public-license
    masterUsername: admin
    multiAZ: true
    port: 3306
    publiclyAccessible: false
    storageEncrypted: false
    storageType: gp2
    dbSubnetGroupName: sample-subnet-group
  providerConfigRef:
    name: aws-provider-999999999999
## us-west-2
---
apiVersion: database.aws.crossplane.io/v1beta1
kind: DBSubnetGroup
metadata:
  name: sample-subnet-group-us-west-2
spec:
  forProvider:
    region: us-west-2
    description: "sample group"
    subnetIds:
      - subnet-0f4bd1ed9e1414118
      - subnet-026b1252434b44771
      - subnet-0e3971c0fc208756a
      - subnet-05754e2386eddf7d5
  providerConfigRef:
    name: aws-provider-999999999999
---
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: remote-rds-us-west-2
spec:   
  forProvider:
    region: us-west-2
    allocatedStorage: 20
    autoMinorVersionUpgrade: true
    backupRetentionPeriod: 0
    caCertificateIdentifier: rds-ca-2019
    copyTagsToSnapshot: false
    dbInstanceClass: db.t3.medium
    deletionProtection: false
    enableIAMDatabaseAuthentication: false
    enablePerformanceInsights: false
    engine: mysql
    engineVersion: 5.6.35
    finalDBSnapshotIdentifier: muvaf-test
    licenseModel: general-public-license
    masterUsername: admin
    multiAZ: true
    port: 3306
    publiclyAccessible: false
    storageEncrypted: false
    storageType: gp2
    dbSubnetGroupName: sample-subnet-group-us-west-2
  providerConfigRef:
    name: aws-provider-999999999999