1. Create EKS Admin Policy
This policy restricts the use of EKS services only
2. Create EKS admin Role
- Assume: pretend, make the program "assume" the role, so that it has the permissions of the role
- An IAM Role can allow many programs to Assume together
- To create a role, assume_role_policy must be specified
- assume_role_policy: what principal (Principal) is allowed to assume (pretend, act, possess) the role
- because we plan to use the eks-manager account to assume the role
Principal: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html
3. Bind the strategy to the role
resource "aws_iam_role_policy_attachment" "eks-admin-policy" {
policy_arn = aws_iam_policy.AmazonEKSAdminPolicy.arn
role = aws_iam_role.eks-admin.name
}4. Create eks-manager account (User)
How to use keybase and terraform
5. Create policy for eks-manager
- Official: Users who get the policy (either through group membership or direct attach) are allowed to switch to the specified role
- Grant the role/user who owns the policy to call AssumeRole to obtain temporary credentials for the role (restricted to aws_iam_role.eks-admin.arn)
- That is, eks-manager -> AssumeRole -> play (pretend) eks-admin role -> have eks-admin privileges
- Why not directly add eks-admin permissions to eks-manager?
- Based on AWS best security practices
- Reuse, such as eks-manager2 is also this permission, then you have to recreate it for manager2, why not play and reuse AssumeRole directly, then there are many managers in large projects
Post comment 取消回复