https://pulumi.com logo
#aws
Title
# aws
c

calm-parrot-72437

02/04/2020, 12:47 AM
is there a way to specify the trust relationship when creating an iam role? or is there another way to go about it? trying to link an iam role with a eks serviceaccount..
hmm, maybe this trust relationship is just part of the policy, but separated in the ui for some reason?
w

white-balloon-205

02/04/2020, 1:32 AM
The trust relationship is the
assumeRolePolicy
argument.
c

calm-parrot-72437

02/04/2020, 3:07 AM
thank you!
const keelRole = new aws.iam.Role("keel-eksDeployer", { assumeRolePolicy: aws.getCallerIdentity().then(id =>
Copy code
{
      "Version": "2012-10-17",
      "Statement": [
        {
   	  "Action": "sts:AssumeRoleWithWebIdentity",
          "Principal": {
   	  	"Federated": "arn:aws:iam::${id.accountId}:oidc-provider/${oidcProvider}"
          },
	  "Condition": {
		"StringEquals": {
			"${oidcProvider}:sub": "system:serviceaccount:${config.clusterSvcsNamespaceName}:keel",
		}
	  },
          "Effect": "Allow",
          "Sid": "serviceaccount"
        }
      ]
    }
,) });
Removing the Condition and I can get it to compile , but leaving it in there i get the error invalid JSON: invalid character '\n'. what have I done?
hmm, seems to a problem with my config.clusterSvcsNamespaceName as I can replace that with "foo" and the error goes away..hmm
m

miniature-musician-31262

02/04/2020, 5:51 PM
I believe you may need to JSON.stringify() that policy body
c

calm-parrot-72437

02/04/2020, 5:56 PM
oh, wow, thank you @miniature-musician-31262. that worked...
m

miniature-musician-31262

02/04/2020, 5:58 PM
Awesome! Kind of unintuitive to have to do that, though, I admit.
c

calm-parrot-72437

02/04/2020, 6:00 PM
really appreciate the help!
👍 1
well, the preview works, but creation fails.. pulumi up details look like this:
+ awsiam/roleRole: (create) [urn=urnpulumistage:keelawsiam/roleRole:keel-eksDeployer] [provider=urnpulumistage:keelpulumiprovidersawsdefault 1 20 0:31ba9] assumeRolePolicy : "\"{\\n \\\"Version\\\": \\\"2012-10-17\\\",\\n \\\"Statement\\\": [\\n {\\n \\t \\\"Action\\\": \\\"sts:AssumeRoleWithWebIdentity\\\",\\n \\\"Principal\\\": {\\n \\t \\t\\\"Federated\\\": \\\"arnawsiam::***:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/***\\\"\\n },\\n\\t \\\"Condition\\\": {\\n\\t\\t\\\"Stri ngEquals\\\": {\\n\\t\\t\\t\\\"oidc.eks.us-east-2.amazonaws.com/id/***:sub\\\": \\\"systemserviceaccountCalling [toString] on an [Output<T>] is not supported.\\n\\nTo get the value of an Output<T> as an Output<string> consider either\\n1 o.apply(v =>
prefix${v}suffix
)\\n2: pulumi.interpolate `prefix${v}suffix`\\n\\nSee https://pulumi.io/help/outputs for more details.\\nThis function may t hrow in a future version of @pulumi/pulumi.:keel\\\"\\n\\t\\t}\\n\\t },\\n \\\"Effect\\\": \\\"Allow\\\",\\n \\\"Sid\\\": \\\"serviceaccount\\\"\\n }\\n ]\\n }\\n\"" forceDetachPolicies: false maxSessionDuration : 3600 name : "keel-eksDeployer-1260ba1" path : "/"
tried replacing ${config.clusterSrvcsNamespace} with ${config.clusterSrvcsNamespace.apply(v =>
${v}
) } but still got a warning there, not sure if that is related or not
if i remove that bit and just hardcode the cluster service namespace, then i hit a policy contains invalid json during the up.
hmm, that goes away if i remove the JSON.stringify()..
in summary, the above code works as long as i hardcode the namespace name in the Condition.
m

miniature-musician-31262

02/05/2020, 2:14 AM
If you could toss this part of your code into a GitHib Gist, it’d probably be easier to see what’s going on there.
(wondering where oidcProvider is coming from)
c

calm-parrot-72437

02/05/2020, 4:46 PM
Oidcprovider isn't important, can replace that with string foo.
m

many-garden-84306

02/06/2020, 6:14 PM
It looks like you are trying to stringify an output, which is an async promise. You need to wrap the stringify in apply() to create another promise
47 Views