crooked-raincoat-45073
03/19/2023, 8:24 PMpolicy_json = ({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": eks_cluster.core.oidc_provider.arn
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
f"{eks_cluster.core.oidc_provider.url.apply(lambda v: v)}": "<http://sts.amazonaws.com|sts.amazonaws.com>",
}
}
}
]
})
print(policy_json)
I tried all the different variations, but it seems I missed something obvious herebillowy-army-68599
03/19/2023, 8:37 PMcrooked-raincoat-45073
03/19/2023, 8:38 PMbillowy-army-68599
03/19/2023, 8:41 PMcrooked-raincoat-45073
03/19/2023, 8:50 PMpolicy_json = eks_cluster.core.oidc_provider.url.apply(lambda v: json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "eks_cluster.core.oidc_provider.arn"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
f"{v}": "<http://sts.amazonaws.com|sts.amazonaws.com>",
}
}
}
]
}))
print(f"Output is: -> {policy_json}")
billowy-army-68599
03/19/2023, 8:54 PMcrooked-raincoat-45073
03/19/2023, 10:04 PMexternal_dns_role = aws.iam.Role(
f"cr-eks-external-dns-role-{pulumi.get_stack()}",
path="/",
description="Role for External DNS on EKS to modify route53",
assume_role_policy=Output.json_dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": eks_cluster.core.oidc_provider.arn,
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
Output.format("{}:sub", eks_cluster.core.oidc_provider.url): "system:serviceaccount:kube-system:external-dns*",
Output.format("{}:aud", eks_cluster.core.oidc_provider.url): "<http://sts.amazonaws.com|sts.amazonaws.com>",
}
}
}
]
}),
)