sqerison/aws-creds.conf

## aws-creds.conf
[default]
aws_access_key_id = ASIAAAAAAAAAAAEXAMPLE
aws_secret_access_key = GP27Hkaef3lf5igm35gi38rbj3eexample

## create-secret.sh
kubectl create secret generic aws-creds -n crossplane-system --from-file=creds=./aws-creds.conf

###
# Example:
###
apiVersion: v1
data:
  creds: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkID0gQVNJQUFBQUFBQUFBQUFFWEFNUExFCmF3c19zZWNyZXRfYWNjZXNzX2tleSA9IEdQMjdIa2FlZjNsZjVpZ20zNWdpMzhyYmozZWV4YW1wbGUK
kind: Secret
metadata:
  name: aws-creds
  namespace: crossplane
type: Opaque

## crossplane-aws-provider-iam-role.yaml
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: aws-config
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::$AWS_ACCOUNT_ID:role/$IAM_ROLE_NAME
spec:
  podSecurityContext:
    fsGroup: 2000
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws
spec:
  package: crossplane/provider-aws:alpha
  controllerConfigRef:
    name: aws-config
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: provider-aws
spec:
  credentials:
    source: InjectedIdentity

## crossplane-aws-provider-secret.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws
spec:
  package: crossplane/provider-aws:alpha
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: aws-creds
      key: creds

## crossplane-helm.yaml
kubectl create namespace crossplane-system

helm repo add crossplane-stable https://charts.crossplane.io/stable
helm repo update

helm install crossplane --namespace crossplane-system crossplane-stable/crossplane

## crossplane-oidc-tr-policy.json
### https://github.com/crossplane/provider-aws/blob/master/AUTHENTICATION.md
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:crossplane-system:provider-aws-*"
        }
      }
    }
  ]
}

## crossplane-s3-bucket.yaml
apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: crossplane-demo
  annotations:
    # This will be the actual bucket name. It must be globally unique, so you
    # probably want to change it before trying to apply this example.
    crossplane.io/external-name: crossplane-demo-example-name
spec:
  deletionPolicy: Delete
  forProvider:
    acl: private
    locationConstraint: us-east-1
    paymentConfiguration:
      payer: BucketOwner
    serverSideEncryptionConfiguration:
      rules:
        - applyServerSideEncryptionByDefault:
            sseAlgorithm: AES256
    versioningConfiguration:
      status: Enabled
	[default]
	aws_access_key_id = ASIAAAAAAAAAAAEXAMPLE
	aws_secret_access_key = GP27Hkaef3lf5igm35gi38rbj3eexample
	kubectl create secret generic aws-creds -n crossplane-system --from-file=creds=./aws-creds.conf

	###
	# Example:
	###
	apiVersion: v1
	data:
	creds: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkID0gQVNJQUFBQUFBQUFBQUFFWEFNUExFCmF3c19zZWNyZXRfYWNjZXNzX2tleSA9IEdQMjdIa2FlZjNsZjVpZ20zNWdpMzhyYmozZWV4YW1wbGUK
	kind: Secret
	metadata:
	name: aws-creds
	namespace: crossplane
	type: Opaque
	apiVersion: pkg.crossplane.io/v1alpha1
	kind: ControllerConfig
	metadata:
	name: aws-config
	annotations:
	eks.amazonaws.com/role-arn: arn:aws:iam::$AWS_ACCOUNT_ID:role/$IAM_ROLE_NAME
	spec:
	podSecurityContext:
	fsGroup: 2000
	---
	apiVersion: pkg.crossplane.io/v1
	kind: Provider
	metadata:
	name: provider-aws
	spec:
	package: crossplane/provider-aws:alpha
	controllerConfigRef:
	name: aws-config
	---
	apiVersion: aws.crossplane.io/v1beta1
	kind: ProviderConfig
	metadata:
	name: provider-aws
	spec:
	credentials:
	source: InjectedIdentity
	kubectl create namespace crossplane-system

	helm repo add crossplane-stable https://charts.crossplane.io/stable
	helm repo update

	helm install crossplane --namespace crossplane-system crossplane-stable/crossplane
	### https://github.com/crossplane/provider-aws/blob/master/AUTHENTICATION.md
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
	},
	"Action": "sts:AssumeRoleWithWebIdentity",
	"Condition": {
	"StringLike": {
	"${OIDC_PROVIDER}:sub": "system:serviceaccount:crossplane-system:provider-aws-*"
	}
	}
	}
	]
	}
	apiVersion: s3.aws.crossplane.io/v1beta1
	kind: Bucket
	metadata:
	name: crossplane-demo
	annotations:
	# This will be the actual bucket name. It must be globally unique, so you
	# probably want to change it before trying to apply this example.
	crossplane.io/external-name: crossplane-demo-example-name
	spec:
	deletionPolicy: Delete
	forProvider:
	acl: private
	locationConstraint: us-east-1
	paymentConfiguration:
	payer: BucketOwner
	serverSideEncryptionConfiguration:
	rules:
	- applyServerSideEncryptionByDefault:
	sseAlgorithm: AES256
	versioningConfiguration:
	status: Enabled