Fix root account ID (#112)

* Fix root account id

* Remove unnecesarry var

* Add changelog entry

CHANGELOG.md

@@ -13,6 +13,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - CAPA: add new `mc-bootstrap` policy to `capa-controller` role.
 - Add IAM policy for use with Crossplane AWS provider. The initial permissions are meant to be used with Cilium ENI mode.
 - CAPA: add `autoscaling:CancelInstanceRefresh` permission (needed for `AWSMachinePool` reconciler [improvement](https://github.com/giantswarm/cluster-api-provider-aws/pull/598))
+- Create a CloudFormation stack to manage the IAM policies and roles.
+
+### Changed
+
+- Use a setup script to automate CAPA controller commands.
+
+### Removed
+
+- Remove vintage setup instructions.
 
 ## [3.4.0] - 2024-01-16
 

README.md

@@ -102,6 +102,8 @@ chmod +x setup.sh
 ./setup.sh
 ```
 
+__warning__: You may need to modify the `trusted-entities.json` to use `aws-cn` in the `Principal` field when using the China region.
+
 ### Cleanup
 
 ```

capa-controller-role/setup.sh

@@ -20,7 +20,6 @@ function echo_fail_or_success {
 }
 
 function create_role {
-  export AWS_ACCOUNT="$(aws sts get-caller-identity --output text --query 'Account')"
   envsubst < ./trusted-entities.json > ${INSTALLATION_NAME}-trusted-entities.json
   aws iam create-role --role-name "${ROLE_NAME}" --description "Giant Swarm managed role for k8s cluster creation" --assume-role-policy-document file://${INSTALLATION_NAME}-trusted-entities.json
   rm -f ${INSTALLATION_NAME}-trusted-entities.json

capa-controller-role/trusted-entities.json

@@ -4,7 +4,7 @@
         {
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:*:iam::${AWS_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller"
+                "AWS": "arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller"
             },
             "Action": "sts:AssumeRole",
             "Condition": {}