dazzling-sundown-39670
05/27/2020, 8:45 PMexternal-dns
pods but I'm not sure how I can allow it. Currently I'm getting this error: AccessDenied: User: arn:aws:sts::503405380068:assumed-role/k8s-pulumi-instanceRole-role-683d5cc/i-0a89701e04130e505 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::503405380068:role/update-route53-4397bfb
I guess I need to attach it to my cluster somehow? I've tried serviceRole and instanceRole but the diff shows too many affected resourcesimport * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import * as k8s from '@pulumi/kubernetes';
import { cluster } from './cluster';
import { updateRoute53Role } from './roles';
// export const role = new aws.iam.Role('update-route53', {
// assumeRolePolicy: JSON.stringify({
// Version: '2012-10-17',
// Statement: [
// {
// Action: 'sts:AssumeRole',
// Principal: {
// Service: '<http://ec2.amazonaws.com|ec2.amazonaws.com>',
// },
// Effect: 'Allow',
// Sid: '',
// },
// ],
// }),
// });
export const policy = new aws.iam.Policy('AllowExternalDNSUpdates', {
description: 'This policy allows external-dns to update route53',
path: '/',
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['route53:ChangeResourceRecordSets'],
Resource: ['arn:aws:route53:::hostedzone/*'],
},
{
Effect: 'Allow',
Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'],
Resource: ['*'],
},
],
}),
});
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment(
'update-route53',
{
role: updateRoute53Role,
policyArn: policy.arn,
},
);
const policyAttachment = new aws.iam.PolicyAttachment('update-route53', {
roles: [updateRoute53Role],
policyArn: policy.arn,
});
export const externalDnsRoleArn = updateRoute53Role.arn;
export const externalDnsChart = new k8s.helm.v2.Chart(
'external-dns',
{
chart: 'external-dns',
version: '3.1.0',
values: {
txtOwnerId: 'foo-external-dns-pulumi',
domainFilters: ['<http://aws2.fooqa.com|aws2.fooqa.com>'],
aws: {
zoneType: 'public',
assumeRoleArn: externalDnsRoleArn,
},
'podSecurityContext.fsGroup': 65534,
},
fetchOpts: {
repo: '<https://charts.bitnami.com/bitnami>',
},
},
{
dependsOn: cluster,
provider: cluster.provider,
},
);
const instanceType: aws.ec2.InstanceType = config.require('k8sinstancetype');
export const cluster = new eks.Cluster('k8s-pulumi', {
vpcId: vpc.id,
subnetIds: vpc.publicSubnetIds,
clusterSecurityGroup: sg.securityGroup,
instanceType,
desiredCapacity: 3,
minSize: 1,
maxSize: 4,
// serviceRole: updateRoute53Role,
// instanceRole: updateRoute53Role,
});
const instanceRole = cluster.instanceRoles.apply((roles) => roles[0]);
export const arn = pulumi.interpolate`${instanceRole.arn}`;
sts:AssumeRole
instead of sts:AssumeRoleWithWebIdentity
but I can't figure out how to change that