This message was deleted.
# kubernetess
sparse-intern-71089
09/27/2023, 7:47 PMThis message was deleted.
n
numerous-train-50906
09/27/2023, 7:48 PMhere is the relevant Python function:
Copy code
def create_autoscaling_role(
oidc_provider_arn,
oidc_provider_url,
oidc_iam_policy,
cluster_autoscaler_iam_policy,
cluster_name,
):
oidc_iam_policy = oidc_iam_policy.render(
cluster_oidc_provider_arn=oidc_provider_arn,
cluster_oidc_provider_url=oidc_provider_url,
)
iam_policy = cluster_autoscaler_iam_policy.render(cluster_name=cluster_name)
cluster_autoscaler_iam_role = aws.iam.Role(
resource_name=f"{cluster_name}_cluster_autoscaler_role",
name=f"{cluster_name}_cluster_autoscaler_role",
assume_role_policy=json.dumps(oidc_iam_policy),
)
cluster_autoscaler_iam_policy = aws.iam.Policy(
resource_name=f"{cluster_name}_cluster_autoscaler_policy",
name=f"{cluster_name}_cluster_autoscaler_policy",
policy=iam_policy,
)
aws.iam.RolePolicyAttachment(
resource_name=f"{cluster_name}_cluster_autoscaler_policy_attachment",
role=cluster_autoscaler_iam_role.name,
policy_arn=cluster_autoscaler_iam_policy.arn,
)
return cluster_autoscaler_iam_rolenumerous-train-50906
09/27/2023, 7:51 PMThe json for the Trust Policy supplied to this line
assume_role_policy=json.dumps(oidc_iam_policy), Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::152*****449:oidc-provider/oidc.eks.ca-central-1.amazonaws.com/id/FE5D241***************"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://oidc.eks.ca-central-1.amazonaws.com/id/FE5D241***************:aud|oidc.eks.ca-central-1.amazonaws.com/id/FE5D241***************:aud>": "<http://sts.amazonaws.com|sts.amazonaws.com>"
}
}
}
]
}numerous-train-50906
09/27/2023, 7:51 PMwhich exactly matches the json when creating the same via the AWS Console.
numerous-train-50906
09/27/2023, 8:13 PMchanging this line
assume_role_policy=json.dumps(oidc_iam_policy),assume_role_policy=oidc_iam_policy,