orange-tailor-85423
01/22/2019, 6:58 PMwhite-balloon-205
awsCaller.then(...)
.function createK8sDelegationRole(): Promise<aws.iam.Role> {
const awsCaller = aws.getCallerIdentity();
return awsCaller.then(root => {
const assumeRootRolePolicy = <aws.iam.PolicyDocument>{
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
AWS: `arn:aws:iam::${root.accountId}:root`
},
Action: "sts:AssumeRole"
}
]
};
// Create an IAM role for K8s namespace access
const k8sDevPolicies = {
eksViewer: aws.iam.ReadOnlyAccess
};
const k8sNamespaceAdminRole = newRoleWithPolicies(
"k8sDevNSAdminRole",
{
description: "k8s namespace admin role for groups",
assumeRolePolicy: assumeRootRolePolicy
},
k8sDevPolicies
);
const k8sdevpolicy = k8sNamespaceAdminRole.arn.apply(
arn =>
new aws.iam.Policy(
"k8s-dev-namespace-policy",
{
description: "Policy that allow you to do K8s stuff",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Resource: arn,
Action: ["sts:AssumeRole"]
}
]
})
},
{ parent: k8sNamespaceAdminRole }
)
);
new aws.iam.GroupPolicyAttachment("k8s-ns-to-dev-group-attachment", {
group: k8sNamespaceAdminGroup,
policyArn: k8sdevpolicy.apply(t => t.arn)
});
return k8sNamespaceAdminRole;
}
);
}
Promise<aws.iam.Role>
)orange-tailor-85423
01/22/2019, 7:06 PM