Closed christopheroconnell closed 3 months ago
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
Experiencing an issue in registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks?version=5.39.0
I deployed Crossplane project to an EKS cluster and attempting to setup with IRSA. Crossplane AWS providers create k8s service accounts with a random identifier i.e. provider-aws-s3-6f461b0ba11f or provider-aws-kms-e22db03fbdbb.
In order to allow this k8s service account to assume an IAM role, I have to explicitly allow this service account name in my IAM role trust policy after the crossplane provider is created. The iam-role-for-service-accounts-eks module creates a Trust Policy for the IAM role using stringEquals so an exact match of the service account name is required.
I would prefer if this were StringLike so that I can use wildcards i.e. provider-aws-* This would allow users to setup the trust policy once for all AWS crossplane providers.
If your request is for a new feature, please use the
Feature request
template.Versions
Reproduction Code [Required]
Steps to reproduce the behavior:
Run terraform init and plan. Apply not needed.
Expected behavior
Trust policy outputted with StringLike allowing wildcard matches ->
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:: 012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:aud": "sts.amazonaws.com", "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:sub": "system:serviceaccount:crossplane-system:provider-aws-*" } } } ] }
Actual behavior
Trust policy outputted with StringEquals ->
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:: 012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:aud": "sts.amazonaws.com", "oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D:sub": "system:serviceaccount:crossplane-system:provider-aws-*" } } } ] }