k8s service accounts using IRSA unable to assume roles if wildcard is used for the service account name in IAM Role trust policy

[christopheroconnell]

Description

Experiencing an issue in registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks?version=5.39.0

I deployed Crossplane project to an EKS cluster and attempting to setup with IRSA. Crossplane AWS providers create k8s service accounts with a random identifier i.e. provider-aws-s3-6f461b0ba11f or provider-aws-kms-e22db03fbdbb.

In order to allow this k8s service account to assume an IAM role, I have to explicitly allow this service account name in my IAM role trust policy after the crossplane provider is created. The iam-role-for-service-accounts-eks module creates a Trust Policy for the IAM role using stringEquals so an exact match of the service account name is required.

I would prefer if this were StringLike so that I can use wildcards i.e. provider-aws-* This would allow users to setup the trust policy once for all AWS crossplane providers.

If your request is for a new feature, please use the Feature request template.

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks?version=5.39.0
• Terraform version: Terraform v1.5.7
• Provider version(s): aws 5.49.0

Reproduction Code [Required]

module "iam_eks_role" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  role_name = "my-app"

  role_policy_arns = {
    policy = "arn:aws:iam::012345678901:policy/myapp"
  }

  oidc_providers = {
    one = {
      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
      namespace_service_accounts = ["crossplane-system:provider-aws-*"]
    }
  }
}

Steps to reproduce the behavior:

Run terraform init and plan. Apply not needed.

Expected behavior

Trust policy outputted with StringLike allowing wildcard matches ->

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:: 012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:aud": "sts.amazonaws.com", "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:sub": "system:serviceaccount:crossplane-system:provider-aws-*" } } } ] }

Actual behavior

Trust policy outputted with StringEquals ->

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:: 012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:aud": "sts.amazonaws.com", "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:sub": "system:serviceaccount:crossplane-system:provider-aws-*" } } } ] }

[bryantbiggs]

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/variables.tf#L73-L77

[christopheroconnell]

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/variables.tf#L73-L77

Thank you so much!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.