Attach "AssumeRoleWithWebIdentity" and SSM IAM policies to vets-api service account.

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:

https://depo-platform-documentation.scrollhelp.site/index.html

281 stars 201 forks source link

Attach "AssumeRoleWithWebIdentity" and SSM IAM policies to vets-api service account. #71315

Open RachalCassity opened 10 months ago

RachalCassity commented 10 months ago

In the new EKS clusters, each application will its own SecretStore. The application's service account will need to have AssumeRoleWithWebIdentity and SSM IAM policies attached to the service account so the Secret Store can communicate with the AWS Parameter Store.

Tasks

[ ] Attach AssumeRoleWithWebIdentity to vets-api AWS service account.
[ ] Attach SSM permissions to vets-api AWS service account.
[ ] Ensure the SecretStore and ExternalSecrets can deploy in the new EKS clusters.

jennb33 commented 6 months ago

Per @RachalCassity this work may no longer be required; keep in the backlog. Currently we are all using the same AWS "SecretStore" role, and it is unknown if we are going to proceed with this ticket.

jennb33 commented 6 months ago

Closing, Rachal doesn't think we will need this. We can always re-create if we need to.

jennb33 commented 5 months ago

This ticket should happen after the EKS work is completed