update cluster role trust policy

awslabs · Nov 11, 2024 · 6ee7404 · 6ee7404
1 parent 771e33b
commit 6ee7404
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### **Changed**
 
 - pin external gh actions to hash
+- fix eks cluster admin role trust policy
 
 ### **Removed**
 

diff --git a/modules/compute/eks/stack.py b/modules/compute/eks/stack.py
@@ -526,6 +526,15 @@ def _create_eks_cluster(
             ],
         )
 
+        # Grant kubectl handler role explicit assume of cluster admin role
+        cluster_admin_role.assume_role_policy.add_statements(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=["sts:AssumeRole"],
+                principals=[eks_cluster.kubectl_lambda_role.role_arn],
+            )
+        )
+
         # Whitelist traffic between Codebuild SG and EKS SG when the APIServer is private
         if eks_compute_config.get("eks_api_endpoint_private") and codebuild_sg_id:
             codebuild_sg = ec2.SecurityGroup.from_security_group_id(self, "eks-codebuild-sg", codebuild_sg_id)
@@ -628,6 +637,9 @@ def _create_cluster_admin_role(self, project_name, deployment_name, module_name,
                 conditions={
                     "ArnLike": {
                         "aws:PrincipalArn": (
+                            # NOTE: this is known to cause issues when using long deployment names
+                            # for resources with autogenerated names that may be truncated to not fit the pattern
+                            # such as kubectl handler role
                             f"arn:{self._partition}:iam::{account}:role/{project_name}-{deployment_name}-*"
                         )
                     }