k -n <NAMESPACE> annotate sa <SA> eks.amazonaws.com/role-arn=arn:aws:iam::<ACCOUNT>:role/<ROLE>
https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
test:
k -n eraseme run aws --image=amazon/aws-cli:latest --command -- bash -c "env; aws sts get-caller-identity; aws s3 ls s3://BUCKET; sleep 300"
k -n eraseme logs aws
Logs should include these vars:
AWS_ROLE_ARN=arn:aws:iam::<ACCOUNT>:role/<ROLE>
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
read -r -d '' TRUST_RELATIONSHIP <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": "system:serviceaccount:<my-namespace>:<my-service-account>"
}
}
}
]
}
EOF
echo "${TRUST_RELATIONSHIP}" > trust.json
Source: https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html