any idea how to apply this correctly?
```assume_ro...
# pythonq
quaint-tailor-52411
07/08/2024, 9:31 PMany idea how to apply this correctly?
Copy code
assume_role_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": eks_cluster.core.oidc_provider.arn
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"$oidc_provider:aud": "sts.amazonaws.com",
f"{eks_cluster.core.oidc_provider.id.apply(lambda id: id + ':sub')}": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
},
}
],
} Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam:::oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"$oidc_provider:aud": "sts.amazonaws.com",
"Calling __str__ on an Output[T] is not supported.\n\nTo get the value of an Output[T] as an Output[str] consider:\n1. o.apply(lambda v: f\"prefix{v}suffix\")\n\nSee <https://www.pulumi.com/docs/concepts/inputs-outputs> for more details.\nThis function may throw in a future version of Pulumi.": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
}
}
]
}d
dry-keyboard-94795
07/08/2024, 10:22 PMYou have your apply call inside a formatted string, just need to remove the wrapping
f"{...}"q
quaint-tailor-52411
07/08/2024, 10:38 PMyeah i tried that earlier got this
Copy code
Traceback (most recent call last):
File "/opt/homebrew/bin/pulumi-language-python-exec", line 192, in <module>
loop.run_until_complete(coro)
File "/opt/homebrew/Cellar/python@3.12/3.12.3/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/site-packages/pulumi/runtime/stack.py", line 138, in run_in_stack
await run_pulumi_func(run)
File "/site-packages/pulumi/runtime/stack.py", line 52, in run_pulumi_func
await wait_for_rpcs()
File "/site-packages/pulumi/runtime/stack.py", line 114, in wait_for_rpcs
await task
File "/site-packages/pulumi/runtime/resource.py", line 910, in do_register
resolver = await prepare_resource(res, ty, custom, remote, props, opts, typ)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/site-packages/pulumi/runtime/resource.py", line 196, in prepare_resource
serialized_props = await rpc.serialize_properties(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/site-packages/pulumi/runtime/rpc.py", line 237, in serialize_properties
struct[translated_name] = result
~~~~~~^^^^^^^^^^^^^^^^^
File "/site-packages/google/protobuf/internal/well_known_types.py", line 471, in __setitem__
_SetStructValue(self.fields[key], value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 433, in _SetStructValue
struct_value.struct_value.update(value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 507, in update
_SetStructValue(self.fields[key], value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 436, in _SetStructValue
struct_value.list_value.extend(value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 525, in extend
self.append(value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 521, in append
_SetStructValue(self.values.add(), value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 433, in _SetStructValue
struct_value.struct_value.update(value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 507, in update
_SetStructValue(self.fields[key], value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 433, in _SetStructValue
struct_value.struct_value.update(value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 507, in update
_SetStructValue(self.fields[key], value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 433, in _SetStructValue
struct_value.struct_value.update(value)
File "/site-packages/google/protobuf/internal/well_known_types.py", line 507, in update
_SetStructValue(self.fields[key], value)d
dry-keyboard-94795
07/08/2024, 10:45 PMAh, yes you likely can't use it as a key to a dict.
You should build the entire dictionary inside the apply call if the resource this is for accepts it
b
billowy-army-68599
07/09/2024, 1:21 AM
m
modern-zebra-45309
07/09/2024, 10:41 AMIf you don't want to use an extra package, here's a blog post with a "Pulumi-native" solution: https://pragmaticnotes.hashnode.dev/configuring-an-eks-kubernetes-service-account-to-assume-an-iam-role-with-pulumi
Relevant part:
Copy code
oidc_provider_arn = pulumi.Output.from_input(oidc_provider_arn)
iam_policy_document = aws.iam.get_policy_document_output(
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRoleWithWebIdentity"],
conditions=[
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
values=["<http://sts.amazonaws.com|sts.amazonaws.com>"],
variable=oidc_provider_arn.apply(
lambda arn: arn.split("/", 1)[1] + ":aud"
),
),
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable=oidc_provider_arn.apply(
lambda arn: arn.split("/", 1)[1] + ":sub"
),
values=[
pulumi.Output.concat(
"system:serviceaccount:",
service_account.metadata.namespace,
":",
service_account.metadata.name,
)
],
),
],
principals=[
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Federated",
identifiers=[oidc_provider_arn],
)
],
),
]
)q
quaint-tailor-52411
07/09/2024, 5:29 PMthanks for these. it does seem very boiler plate
m
modern-zebra-45309
07/10/2024, 8:10 AMI agree, but I think that's more on AWS/EKS than on Pulumi. You have to create the k8s SA with the correct annotation and the IAM role with the proper policy, there's no way around that, and this is even more tedious if you do it via kubectl and the AWS CLI.
If you make a function for this like the one I shared in the blog post, or use a higher-level construct like the one Lee shared, it will keep your main program relatively tidy.
8 Views