Hi everyone! I have a question here: When creating an EKS cluster in Pulumi, there’s a parameter called instance_role that requires an input of type iam.Role object. However, if the IAM role was previously created in another repository, Pulumi export can only export the variables as json or string types. If we use Pulumi’s get_role method to retrieve the role from AWS by its name, the return value is a GetRoleResult, which cannot be directly used in methods that expect an iam.Role object. Does Pulumi provide any other method to read an existing IAM role from AWS and return it as an aws.iam.Role object?

Instead of using the K8s

CONFIG_MAP

mode, there is an

API

authentication mode AWS provides that is able to be used via the

access_entries

property (https://www.pulumi.com/registry/packages/eks/api-docs/cluster/#access_entries_python) It allows adding auth entries (called AccessEntries) by using AWS APIs instead of the k8s ConfigMap. You can create them with the provider by referencing their ARNs. TS example:

const cluster = new eks.Cluster("example", {
    ...
    authenticationMode: eks.AuthenticationMode.API,
    accessEntries: {
        instance1: {
            principalArn: roleArn1,
            type: eks.AccessEntryType.EC2_LINUX
        },
        instance2: {
            principalArn: roleArn2,
            type: eks.AccessEntryType.EC2_LINUX
        },
    }
});

Added benefit of the

API

authentication mode is that the auth entries are composable. With the ConfigMap you had to configure it in a single place, but access entries can be added out of band as well:

const example = new aws.eks.AccessEntry("example", {
    clusterName: cluster.name,
    principalArn: roleArn1,
    type: "EC2_LINUX",
});

Thanks @witty-candle-66007, I will give it a shot