search

aws-quickstart / cdk-eks-blueprints

AWS Quick Start Team
Apache License 2.0
454 stars 205 forks source link

Create application serviceAccount #398

Closed vumdao closed 1 year ago

vumdao commented 2 years ago

Describe the feature

Create more serviceAccount using cluster.addServiceAccount

Use Case

I want to create serviceAccount for my application based on the IAM OIDC which created by eks-blueprints but it does nothing

2022-05-25_19-01

code

        const airflowNameSpace = createNamespace('airflow', eksCluster, true, true);

        const airflowSA = eksCluster.addServiceAccount(`airflow-worker-role`, {
            name: `airflow-worker-role`,
            namespace: 'airflow'
        });
        airflowSA.node.addDependency(airflowNameSpace);

        airflowSA.addToPrincipalPolicy(new PolicyStatement({
            sid: 'S3Write',
            actions: [
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectAcl"
            ],
            resources: [
                "arn:aws:s3:::ops/data/*"
            ]
        }));

        airflowSA.addToPrincipalPolicy(new PolicyStatement({
            sid: 'DynamDBReadonly',
            actions: [
                "dynamodb:BatchGetItem",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:PartiQLSelect"
            ],
            resources: ['arn:aws:dynamodb:us-east-1:*:table/*']
        }));

Proposed Solution

I see that eks-blueprints use lambda function to create IAM identity provider but don't know how it gets the provider ID to federate the serviceAccount

Other Information

No response

Acknowledgements

CDK version used

2.20.0

EKS Blueprints Version

2.20.0

Node.js Version

v16.13.0

Environment details (OS name and version, etc.)

Ubuntu

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 1 year ago

Issue closed due to inactivity.

haemikim3 commented 1 year ago

Any progress on this?

shapirov103 commented 1 year ago

@haemikim3 please take a look at the following example of creating a service account with particular policies for a specific team (application team). This approach can be simplified further, without the need to create a subclass, so this can be viewed as a workaround atm.

khuongdo-nicosys commented 2 months ago

There is a built-in utility.

 const stack = blueprints.GpuBuilder.builder(options).build();
 const cluster = stack.getClusterInfo().cluster;

 blueprints.utils.createServiceAccountWithPolicy(
      cluster,
      `sample-sa`,
      `sample-ns`,
      policies
    );

Hope it helps :)