shapirov103
commented
1 month ago @vpopiolrccl assumedBy parameter to the constructor defines the trust policy for roles. You can use CompositePrincipal to add more than a single principal. According to the CDK documentation, you can further tweak the trust policy by accessing the assumeRolePolicy post creation, this will require creating a subclass for the CreateRoleProvider and overriding the provider method.
For IRSA or Pod identity you can use EKS Pod Identity add-on and use roles without the OIDC trust relationship with pods.
Hope it helps.
vpopiolrccl
JonVDB
Describe the feature
When creating a cluster, provisioning IAM roles using the CreateRoleProvider, it would be great to be able to provide a trust policy for the cluster's OIDC provider.
Alternatively, the roles could be created in a separate task but how could the cluster's OIDC provider be accessed to build the trust policy?
Use Case
For workloads to be deployed to the clusters, there will be service accounts that will be annotated with IAM roles that specify the permissions for those workloads. Those roles could be created as part of the cluster's blueprint, with a trust policy for the cluster's OIDC provider.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.146.0
EKS Blueprints Version
1.15.1
Node.js Version
21.6.1
Environment details (OS name and version, etc.)
MacOS 14.5