Difference between revisions of "Configuring a Kubernetes service account to assume an IAM role"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
+ | |||
+ | |||
+ | |||
+ | cat >trust-relationship.json <<EOF | ||
+ | { | ||
+ | "Version": "2012-10-17", | ||
+ | "Statement": [ | ||
+ | { | ||
+ | "Effect": "Allow", | ||
+ | "Principal": { | ||
+ | "Federated": "arn:aws:iam::$account_id:[[oidc-provider/]]$oidc_provider" | ||
+ | }, | ||
+ | "Action": "[[sts:AssumeRoleWithWebIdentity]]", | ||
+ | "Condition": { | ||
+ | "StringEquals": { | ||
+ | "$oidc_provider:aud": "[[sts.amazonaws.com]]", | ||
+ | "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account" | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | EOF | ||
== See also == | == See also == |
Revision as of 11:33, 24 October 2023
cat >trust-relationship.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oidc_provider:aud": "sts.amazonaws.com", "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account" } } } ] } EOF
See also
Advertising: