Difference between revisions of "Configuring a Kubernetes service account to assume an IAM role"
Jump to navigation
Jump to search
Line 27: | Line 27: | ||
* {{IRSA}} | * {{IRSA}} | ||
* {{OIDC}} | * {{OIDC}} | ||
+ | * {{aws eks}} | ||
[[Category:K8s]] | [[Category:K8s]] |
Revision as of 11:34, 24 October 2023
cat >trust-relationship.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oidc_provider:aud": "sts.amazonaws.com", "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account" } } } ] } EOF
See also
- EKS: IRSA, Module:
ebs_csi_irsa_role
,enable_irsa
- OIDC,
kubectl oidc-login
, AWS IAM OIDC, EKS OIDC, EKS module,aws iam list-open-id-connect-providers | aws iam create-open-id-connect-provider | aws iam get-open-id-connect-provider
, OIDC tokens,aws_lb_listener_rule
- AWS EKS:
AWS::EKS
,aws eks [ create-cluster | list-clusters
|describe-cluster
|update-kubeconfig | list-updates | list-addons | update-cluster-version | update-nodegroup-version | get-token | create-addon ]
Advertising: