Set up the IAM role like so
resource "aws_iam_role" "role" { name = "${var.env}-${var.service}" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRoleWithWebIdentity" Effect = "Allow" Sid = "" Principal = { Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer}" } }, ] }) } resource "aws_iam_policy" "policy" { name = "${var.env}-${var.service}" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "s3:PutObject", "s3:ListBucket", "s3:GetObject", "s3:DeleteObject" ] Effect = "Allow" Resource = "*" } ] }) } resource "aws_iam_role_policy_attachment" "attachment" { role = aws_iam_role.role.name policy_arn = aws_iam_policy.policy.arn } create the service account
resource "kubernetes_service_account" "this" { metadata { name = var.service namespace = var.service annotations = { "eks.amazonaws.com/role-arn" = aws_iam_role.role.arn } } automount_service_account_token = true } data.tf
data "aws_eks_cluster" "cluster" { name = "${var.cluster_env}-${var.cluster_name}" } data "aws_eks_cluster_auth" "auth" { name = "${var.cluster_env}-${var.cluster_name}" } data "aws_caller_identity" "current" {} data "aws_eks_cluster" "cluster" { name = "${var.cluster_env}-${var.cluster_name}" } locals.tf
locals { eks_oidc_issuer = trimprefix(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://") } providers.tf
provider "kubernetes" { host = data.aws_eks_cluster.cluster.endpoint cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) token = data.aws_eks_cluster_auth.auth.token } Configure the app to use the service account
apiVersion: apps/v1 kind: Deployment metadata: name: references namespace: references labels: app: references spec: replicas: 1 selector: matchLabels: app: references template: metadata: labels: app: references spec: serviceAccountName: references containers: - name: references image: nginx ports: - containerPort: 8501 
Top comments (0)