Skip to main content
Amazon EKS 3.1.1Last updated in version 0.64.3

EKS IAM Role Assume Role Policy for Kubernetes Service Accounts

View Source Release Notes

This Terraform module can be used to create Assume Role policies for IAM Roles such that they can be used with Kubernetes Service Accounts. This requires a compatible EKS cluster that supports the IAM Roles for Service Accounts feature.

See the corresponding section of the eks-cluster-control-plane module README for information on how to set up IRSA and how it works.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-IAM-ROLE-ASSUME-ROLE-POLICY-FOR-SERVICE-ACCOUNT MODULE
# ------------------------------------------------------------------------------------------------------

module "eks_iam_role_assume_role_policy_for_service_account" {

source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-iam-role-assume-role-policy-for-service-account?ref=v3.1.1"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# ARN of the OpenID Connect Provider provisioned for the EKS cluster.
eks_openid_connect_provider_arn = <string>

# URL of the OpenID Connect Provider provisioned for the EKS cluster.
eks_openid_connect_provider_url = <string>

# The Kubernetes Namespaces that are allowed to assume the attached IAM Role.
# Only one of `var.namespaces` or `var.service_accounts` can be set. If both
# are set, you may end up with an impossible rule! If both are set to null,
# then this will allow all namespaces and all service accounts.
namespaces = <list(string)>

# The Kubernetes Service Accounts that are allowed to assume the attached IAM
# Role. Only one of `var.namespaces` or `var.service_accounts` can be set. If
# both are set, you may end up with an impossible rule! If both are set to
# null, then this will allow all namespaces and all service accounts.
service_accounts = <list(object(
name = string
namespace = string
))>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# The string operator to use when evaluating the AWS IAM condition for
# determining which Service Accounts are allowed to assume the IAM role.
# Examples: StringEquals, StringLike, etc.
service_accounts_condition_operator = "StringEquals"

}


Reference

Required

ARN of the OpenID Connect Provider provisioned for the EKS cluster.

URL of the OpenID Connect Provider provisioned for the EKS cluster.

namespaceslist(string)required

The Kubernetes Namespaces that are allowed to assume the attached IAM Role. Only one of <a href="#namespaces"><code>namespaces</code></a> or <a href="#service_accounts"><code>service_accounts</code></a> can be set. If both are set, you may end up with an impossible rule! If both are set to null, then this will allow all namespaces and all service accounts.

service_accountslist(object(…))required

The Kubernetes Service Accounts that are allowed to assume the attached IAM Role. Only one of <a href="#namespaces"><code>namespaces</code></a> or <a href="#service_accounts"><code>service_accounts</code></a> can be set. If both are set, you may end up with an impossible rule! If both are set to null, then this will allow all namespaces and all service accounts.

list(object({
name = string
namespace = string
}))

Optional

The string operator to use when evaluating the AWS IAM condition for determining which Service Accounts are allowed to assume the IAM role. Examples: StringEquals, StringLike, etc.

"StringEquals"