Open linzhengen opened 3 years ago
https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/aws-load-balancer-controller.html
https://github.com/weaveworks/eksctl/blob/8ab886b8752038a3ee521aa30dc356468211c6f0/pkg/cfn/template/iam_helpers.go#L41
eksctl create iamserviceaccount \ --cluster=my_cluster \ --namespace=kube-system \ --name=aws-load-balancer-controller \ --attach-policy-arn=arn:aws:iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ --override-existing-serviceaccounts \ --approve
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.ap-northeast-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.ap-northeast-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller", "oidc.eks.ap-northeast-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:aud": "sts.amazonaws.com" } } } ] }
eksctl create iamserviceaccount
Doc
https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/aws-load-balancer-controller.html
該当ソース
https://github.com/weaveworks/eksctl/blob/8ab886b8752038a3ee521aa30dc356468211c6f0/pkg/cfn/template/iam_helpers.go#L41
コマンドサンプル
AssumeRolePolicyDocument サンプル
思ったこと
eksctl create iamserviceaccount
を使わず、RoleはTerraform or CloudFormationで作るときに、Conditionは必須ではないが、入れたほうがいいかもです。