Application Roles
For applications, CI/CD pipelines, and developers to perform their tasks in AWS you will need three IAM roles for an application:
Pod role: your application will use a Kubernetes service account to assume this role using IRSA in order to access storage, databases, and secrets.
Deploy role: your CI/CD pipelines will assume this role and will be mapped to a Kubernetes group using aws-auth in order to update the application during deployment.
Developer role: developers will assume this role and will be mapped to a Kubernetes group using aws-auth in order to view application status.
Pod Role
You can use the service-account-role module from Flightdeck to the service account and an IAM role with the proper trust policy:
module "pod_role" {
source = "github.com/thoughtbot/flightdeck//aws/service-account-role?ref=v0.9.0"
cluster_names = ["example-sandbox-v1"]
name = "example-pods"
# Your manifests must use a service account with the same name and namespace
service_accounts = ["example:example-staging"]
}
You can then create IAM policies and attach them to the role:
resource "aws_iam_policy" "reports_bucket" {
name = "example-bucket"
policy = module.example_bucket.policy_json
}
resource "aws_iam_role_policy_attachment" "reports_bucket" {
policy_arn = aws_iam_policy.example_bucket.arn
role = module.service_role.name
}
You can pass this role to the Flightdeck application-config module to set up the proper service account and annotations to map pods to the role:
module "staging_sandbox_v1" {
source = "github.com/thoughtbot/flightdeck//aws/application-config"
# This must match the service account and namespace declared above
namespace = "example-staging"
pod_service_account = "example"
pod_iam_role = module.pod_role.arn
}
Deploy Role
If you’re using GitHub Actions, you can use the EKS deploy role module to create your deploy role:
This role must be added to the aws-auth ConfigMap, which you can do in the platform configuration:
You can then use Kubernetes role bindings to assign permissions to the role.
If you’re using the Flightdeck application-config module, you can include the deploy group as part of your configuration:
Flightdeck also includes a module to provide write access to a single namespace if you’re configuring your deploy role separately:
Developer Role
If you’re using the Flightdeck application-config module, you can include the developer group as part of your configuration:
Flightdeck also includes a module to provide read access to a single namespace if you’re configuring your developer role separately:
This role must be added to the aws-auth ConfigMap, which you can do in the platform configuration: