Creates single IAM role which can be assumed by one or more EKS ServiceAccount and optionally also OpenID Connect Federated Users.
This module is for use with AWS EKS. For details of how a ServiceAccount in EKS can assume an IAM role, see the EKS documentation.
This module supports multiple ServiceAccount in multiple clusters and/or namespaces. This allows for a single IAM role to be used when an application may span multiple clusters (e.g. for DR) or multiple namespaces (e.g. for canary deployments). The variables cluster_service_accounts and provider_url_sa_pairs are used for this as follows:
module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
cluster_service_accounts = {
"<EKS cluster name>" = [
"<namespace>:<ServiceAccount name>",
"<namespace>:<another ServiceAccount name>"
]
}
provider_url_sa_pairs = {
"<OIDC provider without protocol prefix>" = [
"<namespace>:<ServiceAccount name>",
"<namespace>:<another ServiceAccount name>"
]
}For example, to create an IAM role named my-app that can be assumed from the ServiceAccount named my-app-staging in the namespace default and canary in EKS cluster named cluster-main-1; and also the ServiceAccount name my-app-staging in the namespace default in EKS cluster named cluster-backup-1, the configuration would be:
module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-eks-role"
role_name = "my-app"
cluster_service_accounts = {
"cluster-main-1" = [
"default:my-app-staging",
"canary:my-app-staging"
]
"cluster-backup-1" = [
"default:my-app-staging",
]
}Note: the EKS clusters must in the current AWS region and account as they use the default AWS provider.
| Name | Version |
|---|---|
| terraform | >= 0.12.6 |
| aws | >= 2.23 |
| Name | Version |
|---|---|
| aws | >= 2.23 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.custom | resource |
| aws_caller_identity.current | data source |
| aws_eks_cluster.main | data source |
| aws_iam_policy_document.assume_role_with_oidc | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_service_accounts | EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details | map(list(string)) |
{} |
no |
| create_role | Whether to create a role | bool |
true |
no |
| force_detach_policies | Whether policies should be detached from this role when destroying | bool |
false |
no |
| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number |
43200 |
no |
| provider_url_sa_pairs | OIDC provider URL and k8s ServiceAccount pairs. If the assume role policy requires a mix of EKS clusters and other OIDC providers then this can be used | map(list(string)) |
{} |
no |
| role_description | IAM Role description | string |
"" |
no |
| role_name | Name of IAM role | string |
null |
no |
| role_name_prefix | IAM role name prefix | string |
null |
no |
| role_path | Path of IAM role | string |
"/" |
no |
| role_permissions_boundary_arn | Permissions boundary ARN to use for IAM role | string |
"" |
no |
| role_policy_arns | ARNs of any policies to attach to the IAM role | list(string) |
[] |
no |
| tags | A map of tags to add the the IAM role | map(any) |
{} |
no |
| Name | Description |
|---|---|
| iam_role_arn | ARN of IAM role |
| iam_role_name | Name of IAM role |
| iam_role_path | Path of IAM role |
| iam_role_unique_id | Unique ID of IAM role |