Closed wlawton closed 6 months ago
I considered that perhaps your only meant to reference policies created by ACK in the policyRefs block, so I set about creating a policy (see spec below). Unfortunately this results in the following deployment error
Resource not found in cluster: iam.services.k8s.aws/v1alpha1/Policy:myNicePolicy
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
labels:
argocd.argoproj.io/instance: aws-resources
name: myNicePolicy
namespace: utilities
spec:
description: This is a lovely policy
name: myNicePolicy
policyDocument: >-
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"arn:aws:s3:::*"},{"Effect":"Allow","Action":["s3:List*"],"Resource":["*"]}]}
Hi @wlawton, in ACK, resource references should be pointing to other ACK resources. For example, an IAM role can reference an IAM Policy. These references must point to the respective resource metadata.name
.
If you want to directly attach an AWS Policy, you need to use something like:
policies:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
@wlawton For your second example, I don't think argo will be able to deploy that resource since the metadata.name
isn't respecting the naming standards. Quoting:
By convention, the names of Kubernetes resources should be up to maximum length of 253 characters and consist of lower case alphanumeric characters, -, and .
ACK has a tiny place for examples you can find more in here :) https://github.com/aws-controllers-k8s/examples/blob/main/resources/iam/v1alpha1/policy.yaml - or you can take a look on the resources that are used to test the controllers https://github.com/aws-controllers-k8s/iam-controller/blob/main/test/e2e/resources/role_referring.yaml
Thankyou @a-hilaly your policies suggestion for my Role definition worked a treat and I now have my IAM role established.
Regarding my faulty policy though, my Policy definition is copied from the example you referenced, so still scratching my head a bit on that one.
@wlawton So regarding the names we use such as $POLICY_NAME
- those are getting replaced during the tests by simple names like policy-name-12345
, but yeah technically they are faulty as well
I agree that maybe for the examples repository we should avoid using $POLICY_NAME
as example since they can be confusing..
I was using ArgoCD to deploy my resources but switched to executing helmfile locally to get better debug output and discovered I needed to change my policy name and also my policy document was being rejected. I arrived at the following helm chart config which is deploying fine now. Thanks again for your help.
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
name: {{ .Values.policyName }}
spec:
name: {{ .Values.policyName }}
description: "An IAM Policy that can be linked to zero or more IAM Roles"
policyDocument: {{ .Values.policyDocument | quote }}
{{- with .Values.tags }}
tags:
{{- toYaml . | nindent 4 }}
{{- end }}
values.yaml....
policyName: simple-secure-storage-full-access
tags:
- key: tag1
value: val1
policyDocument: |
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["s3:*"],"Resource": ["*"]}]}
Just making my first ACK deployments today. Deployed the s3-controller and iam-controller and thought i'd start by creating a Role resource to provide the s3-controller with full IAM permissions on S3 via IRSA. I was hoping that I could use the policyRefs section to link the role to an existing IAM policy e.g.
But iam-controller is logging an error:
I guess i've misunderstood the function of the policyRefs attribute.