From 02e6fa43f032017ee6237ec3462223584a047b0e Mon Sep 17 00:00:00 2001 From: Richard Case Date: Fri, 4 Oct 2024 09:49:00 +0100 Subject: [PATCH 1/2] feat: eks pod identity support for controllers This adds support for using EKS pod identity for the CAPA controller when the management cluster is an EKS cluster Signed-off-by: Richard Case --- .../bootstrap/cluster_api_controller.go | 4 +- .../cloudformation/bootstrap/control_plane.go | 2 +- .../cloudformation/bootstrap/node.go | 2 +- .../cloudformation/bootstrap/template.go | 10 +- .../cmd/controller/controller.go | 1 + .../credentials/use_pod_identity.go | 173 ++++++++++++++++++ docs/book/src/topics/eks/eks-pod-identity.md | 32 ++++ docs/book/src/topics/eks/index.md | 3 +- 8 files changed, 219 insertions(+), 8 deletions(-) create mode 100644 cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go create mode 100644 docs/book/src/topics/eks/eks-pod-identity.md diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go index 049de10431..add074a8c0 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go @@ -51,8 +51,8 @@ func (t Template) controllersPolicyRoleAttachments() []string { return attachments } -func (t Template) controllersTrustPolicy() *iamv1.PolicyDocument { - policyDocument := ec2AssumeRolePolicy() +func (t Template) controllersTrustPolicy(eksEnabled bool) *iamv1.PolicyDocument { + policyDocument := ec2AssumeRolePolicy(eksEnabled) policyDocument.Statement = append(policyDocument.Statement, t.Spec.ClusterAPIControllers.TrustStatements...) return policyDocument } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go b/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go index 06cdff6a55..15ee33fcaf 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/control_plane.go @@ -40,7 +40,7 @@ func (t Template) controlPlanePolicies() []cfn_iam.Role_Policy { } func (t Template) controlPlaneTrustPolicy() *iamv1.PolicyDocument { - policyDocument := ec2AssumeRolePolicy() + policyDocument := ec2AssumeRolePolicy(false) policyDocument.Statement = append(policyDocument.Statement, t.Spec.ControlPlane.TrustStatements...) return policyDocument } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/node.go b/cmd/clusterawsadm/cloudformation/bootstrap/node.go index a17db15ad2..5e04f7bfa7 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/node.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/node.go @@ -39,7 +39,7 @@ func (t Template) nodePolicies() []cfn_iam.Role_Policy { } func (t Template) nodeTrustPolicy() *iamv1.PolicyDocument { - policyDocument := ec2AssumeRolePolicy() + policyDocument := ec2AssumeRolePolicy(false) policyDocument.Statement = append(policyDocument.Statement, t.Spec.Nodes.TrustStatements...) return policyDocument } diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/template.go b/cmd/clusterawsadm/cloudformation/bootstrap/template.go index c4eb4cbff7..24adad2476 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/template.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/template.go @@ -146,7 +146,7 @@ func (t Template) RenderCloudFormation() *cloudformation.Template { template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{ RoleName: t.NewManagedName("controllers"), - AssumeRolePolicyDocument: t.controllersTrustPolicy(), + AssumeRolePolicyDocument: t.controllersTrustPolicy(!t.Spec.EKS.Disable), Policies: t.controllersRolePolicy(), Tags: converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags), } @@ -218,8 +218,12 @@ func (t Template) RenderCloudFormation() *cloudformation.Template { return template } -func ec2AssumeRolePolicy() *iamv1.PolicyDocument { - return AssumeRolePolicy(iamv1.PrincipalService, []string{"ec2.amazonaws.com"}) +func ec2AssumeRolePolicy(withEKS bool) *iamv1.PolicyDocument { + principalIDs := []string{"ec2.amazonaws.com"} + if withEKS { + principalIDs = append(principalIDs, "pods.eks.amazonaws.com") + } + return AssumeRolePolicy(iamv1.PrincipalService, principalIDs) } // AWSArnAssumeRolePolicy will assume Policies using PolicyArns. diff --git a/cmd/clusterawsadm/cmd/controller/controller.go b/cmd/clusterawsadm/cmd/controller/controller.go index 31e018d432..1d07ae1136 100644 --- a/cmd/clusterawsadm/cmd/controller/controller.go +++ b/cmd/clusterawsadm/cmd/controller/controller.go @@ -44,6 +44,7 @@ func RootCmd() *cobra.Command { newCmd.AddCommand(credentials.UpdateCredentialsCmd()) newCmd.AddCommand(credentials.PrintCredentialsCmd()) newCmd.AddCommand(rollout.RolloutControllersCmd()) + newCmd.AddCommand(credentials.UseEKSPodIdentityCmd()) return newCmd } diff --git a/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go b/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go new file mode 100644 index 0000000000..3acb79b4cd --- /dev/null +++ b/cmd/clusterawsadm/cmd/controller/credentials/use_pod_identity.go @@ -0,0 +1,173 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +import ( + "fmt" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/eks" + "github.com/aws/aws-sdk-go/service/iam" + "github.com/spf13/cobra" + + "sigs.k8s.io/cluster-api/cmd/clusterctl/cmd" +) + +// UseEKSPodIdentityCmd is a CLI command that will enable using EKS pod identity for CAPA. +func UseEKSPodIdentityCmd() *cobra.Command { + clusterName := "" + region := "" + namespace := "" + serviceAccount := "" + roleName := "" + + newCmd := &cobra.Command{ + Use: "use-pod-identity", + Short: "Enable EKS pod identiy with CAPA", + Long: cmd.LongDesc(` + Updates CAPA running in an EKS cluster to use EKS pod identity + `), + Example: cmd.Examples(` + clusterawsadm controller use-pod-identity --cluster-name cluster1 + `), + Args: cobra.NoArgs, + RunE: func(cmd *cobra.Command, args []string) error { + return usePodIdentity(region, clusterName, namespace, serviceAccount, roleName) + }, + } + + newCmd.Flags().StringVarP(®ion, "region", "r", "", "The AWS region containing the EKS cluster") + newCmd.Flags().StringVarP(&clusterName, "cluster-name", "n", "", "The name of the EKS management cluster") + newCmd.Flags().StringVar(&namespace, "namespace", "capa-system", "The namespace of CAPA controller") + newCmd.Flags().StringVar(&serviceAccount, "service-account", "capa-controller-manager", "The service account for the CAPA controller") + newCmd.Flags().StringVar(&roleName, "role-name", "controllers.cluster-api-provider-aws.sigs.k8s.io", "The name of the CAPA controller role. If you have used a prefix or suffix this will need to be changed.") + + newCmd.MarkFlagRequired("cluster-name") + + return newCmd +} + +func usePodIdentity(region, clusterName, namespace, serviceAccount, roleName string) error { + cfg := aws.Config{} + if region != "" { + cfg.Region = aws.String(region) + } + + sess, err := session.NewSessionWithOptions(session.Options{ + SharedConfigState: session.SharedConfigEnable, + Config: cfg, + }) + if err != nil { + return fmt.Errorf("failed creating aws session: %w", err) + } + + roleArn, err := getRoleArn(sess, roleName) + if err != nil { + return err + } + + eksClient := eks.New(sess) + + listInput := &eks.ListPodIdentityAssociationsInput{ + ClusterName: aws.String(clusterName), + Namespace: aws.String(namespace), + } + + listOutput, err := eksClient.ListPodIdentityAssociations(listInput) + if err != nil { + return fmt.Errorf("listing existing pod identity associations for cluster %s in namespace %s: %w", clusterName, namespace, err) + } + + for _, association := range listOutput.Associations { + if *association.ServiceAccount == serviceAccount { + needsUpdate, err := podIdentityNeedsUpdate(eksClient, association, roleName) + if err != nil { + return err + } + if !needsUpdate { + fmt.Printf("EKS pod association for service account %s already exists, no action taken\n", serviceAccount) + } + + return updatePodIdentity(eksClient, association, roleName) + } + } + + fmt.Printf("Creating pod association for service account %s.....\n", serviceAccount) + + createInpuut := &eks.CreatePodIdentityAssociationInput{ + ClusterName: &clusterName, + Namespace: &namespace, + RoleArn: &roleArn, + ServiceAccount: &serviceAccount, + } + + output, err := eksClient.CreatePodIdentityAssociation(createInpuut) + if err != nil { + return fmt.Errorf("failed to create pod identity association: %w", err) + } + + fmt.Printf("Created pod identity association (%s)\n", *output.Association.AssociationId) + + return nil +} + +func podIdentityNeedsUpdate(client *eks.EKS, association *eks.PodIdentityAssociationSummary, roleArn string) (bool, error) { + input := &eks.DescribePodIdentityAssociationInput{ + AssociationId: association.AssociationId, + ClusterName: association.ClusterName, + } + + output, err := client.DescribePodIdentityAssociation(input) + if err != nil { + return false, fmt.Errorf("failed describing pod identity association: %w", err) + } + + return *output.Association.RoleArn != roleArn, nil +} + +func updatePodIdentity(client *eks.EKS, association *eks.PodIdentityAssociationSummary, roleArn string) error { + input := &eks.UpdatePodIdentityAssociationInput{ + AssociationId: association.AssociationId, + ClusterName: association.ClusterName, + RoleArn: &roleArn, + } + + _, err := client.UpdatePodIdentityAssociation(input) + if err != nil { + return fmt.Errorf("failed updating pod identity association: %w", err) + } + + fmt.Printf("Updated pod identity to use role %s\n", roleArn) + + return nil +} + +func getRoleArn(sess *session.Session, roleName string) (string, error) { + client := iam.New(sess) + + input := &iam.GetRoleInput{ + RoleName: &roleName, + } + + output, err := client.GetRole(input) + if err != nil { + return "", fmt.Errorf("failed looking up role %s: %w", roleName, err) + } + + return *output.Role.Arn, nil +} diff --git a/docs/book/src/topics/eks/eks-pod-identity.md b/docs/book/src/topics/eks/eks-pod-identity.md new file mode 100644 index 0000000000..80919769e3 --- /dev/null +++ b/docs/book/src/topics/eks/eks-pod-identity.md @@ -0,0 +1,32 @@ +# Using EKS Pod Identity for CAPA Controller + +You can use [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to supply the credentials for the CAPA controller when the management is in EKS. This is an alternative to using the static boostrap credentials or IRSA. + +## Pre-requisites + +- Management cluster must be an EKS cluster +- AWS environment variables set for your account + +## Steps + +1. Install the **Amazon EKS Pod Identity Agent** EKS addon into the cluster. This can be done using the AWS console or using the AWS cli. + +> NOTE: If your management cluster is a "self-managed" CAPI cluster then its possible to install the addon via the **EKSManagedControlPlane**. + +2. Create an EKS pod identity association for CAPA by running the following (replacing **** with the name of your EKS cluster): + +```bash +clusterawsadm controller use-pod-identity --cluster-name +``` + +3. Ensure any credentials set for the controller are removed (a.k.a zeroed out): + +```bash +clusterawsadm controller zero-credentials --namespace=capa-system +``` + +4. Force CAPA to restart so that the AWS credentials are injected: + +```bash +clusterawsadm controller rollout-controller --kubeconfig=kubeconfig --namespace=capa-system +``` \ No newline at end of file diff --git a/docs/book/src/topics/eks/index.md b/docs/book/src/topics/eks/index.md index 9312cc4eaa..2bc44fc400 100644 --- a/docs/book/src/topics/eks/index.md +++ b/docs/book/src/topics/eks/index.md @@ -36,4 +36,5 @@ And a number of new templates are available in the templates folder for creating * [Using EKS Console](eks-console.md) * [Using EKS Addons](addons.md) * [Enabling Encryption](encryption.md) -* [Cluster Upgrades](cluster-upgrades.md) \ No newline at end of file +* [Cluster Upgrades](cluster-upgrades.md) +* [Using EKS Pod Identity for controller credentials](eks-pod-identity.md) \ No newline at end of file From 352d96936fffa3f8f1c958b991ec628b7bcce878 Mon Sep 17 00:00:00 2001 From: Richard Case Date: Mon, 4 Nov 2024 19:42:11 +0000 Subject: [PATCH 2/2] wip: eks pod identity support Signed-off-by: Richard Case --- .../cloudformation/bootstrap/fixtures/customsuffix.yaml | 2 ++ .../cloudformation/bootstrap/fixtures/default.yaml | 2 ++ .../bootstrap/fixtures/with_all_secret_backends.yaml | 2 ++ .../bootstrap/fixtures/with_allow_assume_role.yaml | 2 ++ .../cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml | 2 ++ .../bootstrap/fixtures/with_custom_bootstrap_user.yaml | 2 ++ .../bootstrap/fixtures/with_different_instance_profiles.yaml | 2 ++ .../cloudformation/bootstrap/fixtures/with_eks_console.yaml | 2 ++ .../bootstrap/fixtures/with_eks_default_roles.yaml | 2 ++ .../cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml | 2 ++ .../bootstrap/fixtures/with_extra_statements.yaml | 2 ++ .../cloudformation/bootstrap/fixtures/with_s3_bucket.yaml | 2 ++ .../bootstrap/fixtures/with_ssm_secret_backend.yaml | 2 ++ cmd/clusterawsadm/cloudformation/bootstrap/template.go | 2 +- 14 files changed, 27 insertions(+), 1 deletion(-) diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml index 7909fe12d5..aafa80ee0e 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml @@ -412,6 +412,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -429,6 +430,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.custom-suffix.com Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml index a9290741ba..d21a7ba736 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml @@ -412,6 +412,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -429,6 +430,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml index fa7b5a4d95..5a9634f5ab 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml @@ -425,6 +425,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -442,6 +443,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml index 2390d86097..2ed79009c5 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml @@ -417,6 +417,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -434,6 +435,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml index 930b879c2e..f89b10399f 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml @@ -420,6 +420,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -437,6 +438,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml index 50b9bb3182..21378f3ad8 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml @@ -420,6 +420,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -437,6 +438,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml index 478967b404..49f1e188e2 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml @@ -412,6 +412,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -429,6 +430,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml index ae2e279062..3a295f5532 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml @@ -432,6 +432,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -449,6 +450,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml index 3ca015276a..6ef2dfd47c 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml @@ -412,6 +412,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -429,6 +430,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml index 0bacb55e5c..5502832139 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml @@ -412,6 +412,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -429,6 +430,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml index b864e1c1b3..7fa6b5c009 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml @@ -420,6 +420,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -447,6 +448,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 Policies: - PolicyDocument: diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml index b376d7cab8..f28ffb3926 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml @@ -423,6 +423,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -440,6 +441,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml index edc07671d6..51de07e47e 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml +++ b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml @@ -412,6 +412,7 @@ Resources: Statement: - Action: - sts:AssumeRole + - sts:TagSession Effect: Allow Principal: Service: @@ -429,6 +430,7 @@ Resources: Principal: Service: - ec2.amazonaws.com + - pods.eks.amazonaws.com Version: 2012-10-17 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/template.go b/cmd/clusterawsadm/cloudformation/bootstrap/template.go index 24adad2476..de3312ad32 100644 --- a/cmd/clusterawsadm/cloudformation/bootstrap/template.go +++ b/cmd/clusterawsadm/cloudformation/bootstrap/template.go @@ -244,7 +244,7 @@ func AssumeRolePolicy(identityType iamv1.PrincipalType, principalIDs []string) * { Effect: iamv1.EffectAllow, Principal: iamv1.Principals{identityType: principalIDs}, - Action: iamv1.Actions{"sts:AssumeRole"}, + Action: iamv1.Actions{"sts:AssumeRole", "sts:TagSession"}, }, }, }