https://pulumi.com logo
Join Slack
Powered by
is there a way to specify the trust relationship w...
# aws
c
is there a way to specify the trust relationship when creating an iam role? or is there another way to go about it? trying to link an iam role with a eks serviceaccount..
hmm, maybe this trust relationship is just part of the policy, but separated in the ui for some reason?
w
The trust relationship is the 
assumeRolePolicy
argument.
c
thank you!
const keelRole = new aws.iam.Role("keel-eksDeployer", { assumeRolePolicy: aws.getCallerIdentity().then(id =>
Copy code
{
      "Version": "2012-10-17",
      "Statement": [
        {
   	  "Action": "sts:AssumeRoleWithWebIdentity",
          "Principal": {
   	  	"Federated": "arn:aws:iam::${id.accountId}:oidc-provider/${oidcProvider}"
          },
	  "Condition": {
		"StringEquals": {
			"${oidcProvider}:sub": "system:serviceaccount:${config.clusterSvcsNamespaceName}:keel",
		}
	  },
          "Effect": "Allow",
          "Sid": "serviceaccount"
        }
      ]
    }
,) });
Removing the Condition and I can get it to compile , but leaving it in there i get the error invalid JSON: invalid character '\n'. what have I done?
hmm, seems to a problem with my config.clusterSvcsNamespaceName as I can replace that with "foo" and the error goes away..hmm
m
I believe you may need to JSON.stringify() that policy body
c
oh, wow, thank you @miniature-musician-31262. that worked...
m
Awesome! Kind of unintuitive to have to do that, though, I admit.
c
really appreciate the help!
👍 1
well, the preview works, but creation fails.. pulumi up details look like this:
+ awsiam/roleRole: (create) [urn=urnpulumistage:keelawsiam/roleRole:keel-eksDeployer] [provider=urnpulumistage:keelpulumiprovidersawsdefault 1 20 0:31ba9] assumeRolePolicy : "\"{\\n \\\"Version\\\": \\\"2012-10-17\\\",\\n \\\"Statement\\\": [\\n {\\n \\t \\\"Action\\\": \\\"sts:AssumeRoleWithWebIdentity\\\",\\n \\\"Principal\\\": {\\n \\t \\t\\\"Federated\\\": \\\"arnawsiam::***:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/***\\\"\\n },\\n\\t \\\"Condition\\\": {\\n\\t\\t\\\"Stri ngEquals\\\": {\\n\\t\\t\\t\\\"oidc.eks.us-east-2.amazonaws.com/id/***:sub\\\": \\\"systemserviceaccountCalling [toString] on an [Output<T>] is not supported.\\n\\nTo get the value of an Output<T> as an Output<string> consider either\\n1 o.apply(v => 
prefix${v}suffix
)\\n2: pulumi.interpolate `prefix${v}suffix`\\n\\nSee https://pulumi.io/help/outputs for more details.\\nThis function may t hrow in a future version of @pulumi/pulumi.:keel\\\"\\n\\t\\t}\\n\\t },\\n \\\"Effect\\\": \\\"Allow\\\",\\n \\\"Sid\\\": \\\"serviceaccount\\\"\\n }\\n ]\\n }\\n\"" forceDetachPolicies: false maxSessionDuration : 3600 name : "keel-eksDeployer-1260ba1" path : "/"
tried replacing ${config.clusterSrvcsNamespace} with ${config.clusterSrvcsNamespace.apply(v => 
${v}
) } but still got a warning there, not sure if that is related or not
if i remove that bit and just hardcode the cluster service namespace, then i hit a policy contains invalid json during the up.
hmm, that goes away if i remove the JSON.stringify()..
in summary, the above code works as long as i hardcode the namespace name in the Condition.
m
If you could toss this part of your code into a GitHib Gist, it’d probably be easier to see what’s going on there.
(wondering where oidcProvider is coming from)
c
Oidcprovider isn't important, can replace that with string foo.
m
It looks like you are trying to stringify an output, which is an async promise. You need to wrap the stringify in apply() to create another promise
77 Views
Open in Slack
PreviousNext
Powered by