sparse-intern-71089
01/11/2019, 3:54 AMwhite-balloon-205
kube2iam
myself before - but I believe:
1. That parameter isn’t required, it’s just a convenience so you don’t have to repeat the whole ARN on every pod
2. Assuming all the roles you will be applying to pods are from the same account, you can construct the base arn just knowing the account number (which can also be looked up via aws.iam.getCallerIdentity()
)
3. The actual roles you want to assign will need to be created separately from what @pulumi/EKS
provides. The roles you create will be based on specific needs of your application code, not general needs of the cluster. You can of course create these using aws.iam.Role
and integrate this with your Pulumi deployment of the cluster for easy management.