Skip to content

Instantly share code, notes, and snippets.

@micahhausler

micahhausler/account-m-role-iam-policy.json

Last active June 16, 2022 17:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save micahhausler/3caf565d34ef0d210a2b85da11985133 to your computer and use it in GitHub Desktop.
Save micahhausler/3caf565d34ef0d210a2b85da11985133 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
account-m-role-iam-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::444455556666:role/account-n-role"
}
]
}
Raw
account-m-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.REGION.eks.amazonaws.com/CLUSTER_ID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.REGION.eks.amazonaws.com/CLUSTER_ID:sub": "system:serviceaccount:default:example-app",
"oidc.REGION.eks.amazonaws.com/CLUSTER_ID:aud": "sts.amazonaws.com"
}
}
}
]
}
Raw
account-n-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/account-m-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Raw
cross-account-pod-role-example.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-config
data:
config: |
[profile account_n]
source_profile = account_m_role
role_arn=arn:aws:iam::444455556666:role/account-n-role
[profile account_m]
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
role_arn=arn:aws:iam::111122223333:role/account-m-role
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: example-app
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::111122223333:role/account-m-role"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-app
spec:
replicas: 1
selector:
matchLabels:
app: example-app
template:
metadata:
labels:
app: example-app
spec:
serviceAccountName: example-app
containers:
- name: al2
image: amazonlinux:2
env:
- name: "AWS_CONFIG_FILE"
value: "/somewhere/.aws/config"
- name: "AWS_PROFILE"
value: "account_n"
- name: "AWS_REGION"
value: "<SET A REGION>"
- name: "AWS_STS_REGIONAL_ENDPOINTS"
value: "regional"
command:
- sleep
- infinity
volumeMounts:
- name: aws-config-vol
readOnly: false
mountPath: /somewhere/.aws
volumes:
- name: aws-config-vol
configMap:
name: aws-config
items:
- key: config
path: config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment