1. Create EKS Admin Policy
This policy restricts the use of EKS services only
2. Create EKS admin Role
- Assume: pretend, make the program "assume" the role, so that it has the permissions of the role
- An IAM Role can allow many programs to Assume together
- To create a role, assume_role_policy must be specified
- assume_role_policy: what principal (Principal) is allowed to assume (pretend, act, possess) the role
- because we plan to use the eks-manager account to assume the role
Principal
: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html
3. Bind the strategy to the role
resource "aws_iam_role_policy_attachment" "eks-admin-policy" {
policy_arn = aws_iam_policy.AmazonEKSAdminPolicy.arn
role = aws_iam_role.eks-admin.name
}
4. Create eks-manager
account (User)
How to use keybase
and terraform
5. Create policy for eks-manager
- Official: Users who get the policy (either through group membership or direct attach) are allowed to switch to the specified role
- Grant the role/user who owns the policy to call AssumeRole to obtain temporary credentials for the role (restricted to aws_iam_role.eks-admin.arn)
- That is, eks-manager -> AssumeRole -> play (pretend) eks-admin role -> have eks-admin privileges
- Why not directly add eks-admin permissions to eks-manager?
- Based on AWS best security practices
- Reuse, such as eks-manager2 is also this permission, then you have to recreate it for manager2, why not play and reuse AssumeRole directly, then there are many managers in large projects
发表评论 取消回复