Application Roles

For applications, CI/CD pipelines, and developers to perform their tasks in AWS you will need three IAM roles for an application:

Pod role: your application will use a Kubernetes service account to assume this role using IRSA in order to access storage, databases, and secrets.
Deploy role: your CI/CD pipelines will assume this role and will be mapped to a Kubernetes group using aws-auth in order to update the application during deployment.
Developer role: developers will assume this role and will be mapped to a Kubernetes group using aws-auth in order to view application status.

Pod Role

You can use the service-account-role module from Flightdeck to the service account and an IAM role with the proper trust policy:

module "pod_role" {
  source = "github.com/thoughtbot/flightdeck//aws/service-account-role?ref=v0.9.0"

  cluster_names    = ["example-sandbox-v1"]
  name             = "example-pods"
  
  # Your manifests must use a service account with the same name and namespace
  service_accounts = ["example:example-staging"]
}

You can then create IAM policies and attach them to the role:

resource "aws_iam_policy" "reports_bucket" {
  name   = "example-bucket"
  policy = module.example_bucket.policy_json
}

resource "aws_iam_role_policy_attachment" "reports_bucket" {
  policy_arn = aws_iam_policy.example_bucket.arn
  role       = module.service_role.name
}

You can pass this role to the Flightdeck application-config module to set up the proper service account and annotations to map pods to the role:

module "staging_sandbox_v1" {
  source    = "github.com/thoughtbot/flightdeck//aws/application-config"

  # This must match the service account and namespace declared above
  namespace               = "example-staging"
  pod_service_account     = "example"
  
  pod_iam_role            = module.pod_role.arn
}

Deploy Role

If you’re using GitHub Actions, you can use the EKS deploy role module to create your deploy role:

This role must be added to the aws-auth ConfigMap, which you can do in the platform configuration:

You can then use Kubernetes role bindings to assign permissions to the role.

If you’re using the Flightdeck application-config module, you can include the deploy group as part of your configuration:

Flightdeck also includes a module to provide write access to a single namespace if you’re configuring your deploy role separately:

Developer Role

If you’re using the Flightdeck application-config module, you can include the developer group as part of your configuration:

Flightdeck also includes a module to provide read access to a single namespace if you’re configuring your developer role separately:

This role must be added to the aws-auth ConfigMap, which you can do in the platform configuration: