Menu
I’d like to set up the external secrets operator following this guide, but do it in CDK. I’m having some difficulty replicating the eksctl create iamserviceaccount step. The trust relationship from the blogdemosa role created by following the guide looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account_id>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/<cluster_oidc_id>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/<cluster_oidc_id>:sub": "system:serviceaccount:default:blogdemosa",
"oidc.eks.us-east-1.amazonaws.com/id/<cluster_oidc_id>:aud": "sts.amazonaws.com"
}
}
}
]
}
So I think my CDK should have to look something like this:
const serviceAccountRole = new iam.Role(this, 'ServiceAccountRole', {
roleName: 'ServiceAccountRole',
assumedBy: new iam.FederatedPrincipal(???),
managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('SecretsManagerReadWrite')]
});
const serviceAccount = cluster.addServiceAccount('ServiceAccount', {
name: 'eso-service-account',
annotations: {
'eks.amazonaws.com/role-arn': serviceAccountRole.roleArn
}
});
But I have no idea what to put for any of the FederatedPrincipal’s parameters.
876
My approach was wrong, this is all I needed to do:
const serviceAccount = cluster.addServiceAccount('ServiceAccount', {
name: 'eso-service-account',
})
serviceAccount.addToPrincipalPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret'
],
resources: [
'arn:aws:secretsmanager:us-east-1:552593679126:secret:*'
]
}));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With