numerous-train-50906
09/27/2023, 7:47 PMcreating IAM Role (my_eks_cluster_autoscaler_role): MalformedPolicyDocument: This policy contains invalid Json
def create_autoscaling_role(
oidc_provider_arn,
oidc_provider_url,
oidc_iam_policy,
cluster_autoscaler_iam_policy,
cluster_name,
):
oidc_iam_policy = oidc_iam_policy.render(
cluster_oidc_provider_arn=oidc_provider_arn,
cluster_oidc_provider_url=oidc_provider_url,
)
iam_policy = cluster_autoscaler_iam_policy.render(cluster_name=cluster_name)
cluster_autoscaler_iam_role = aws.iam.Role(
resource_name=f"{cluster_name}_cluster_autoscaler_role",
name=f"{cluster_name}_cluster_autoscaler_role",
assume_role_policy=json.dumps(oidc_iam_policy),
)
cluster_autoscaler_iam_policy = aws.iam.Policy(
resource_name=f"{cluster_name}_cluster_autoscaler_policy",
name=f"{cluster_name}_cluster_autoscaler_policy",
policy=iam_policy,
)
aws.iam.RolePolicyAttachment(
resource_name=f"{cluster_name}_cluster_autoscaler_policy_attachment",
role=cluster_autoscaler_iam_role.name,
policy_arn=cluster_autoscaler_iam_policy.arn,
)
return cluster_autoscaler_iam_role
assume_role_policy=json.dumps(oidc_iam_policy),
is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::152*****449:oidc-provider/oidc.eks.ca-central-1.amazonaws.com/id/FE5D241***************"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://oidc.eks.ca-central-1.amazonaws.com/id/FE5D241***************:aud|oidc.eks.ca-central-1.amazonaws.com/id/FE5D241***************:aud>": "<http://sts.amazonaws.com|sts.amazonaws.com>"
}
}
}
]
}
assume_role_policy=json.dumps(oidc_iam_policy),
to assume_role_policy=oidc_iam_policy,
, i.e passing the Jinja2 rendered string seemed to suffice. Issue resolved.