[aws-eks] Invalid IAM role for service account in imported EKS cluster
See original GitHub issueThe EKS cluster construct provides the method addServiceAccount
to create a service account in the Kuberntes cluster. In AWS, an IAM role is created for the service account.
EKS Cluster and service account can be created in the same stack. In this case, the IAM role contains an condition like this:
StringEquals | oidc.eks.eu-central-1.amazonaws.com/id/D457DF56746A2B6FCFECDFC42C68BC42:sub
StringEquals | oidc.eks.eu-central-1.amazonaws.com/id/D457DF56746A2B6FCFECDFC42C68BC42:aud
Instead of creating a new EKS cluster, an EKS cluster from another stack can be imported. In this case, the corresponding IAM role of the service account doesn’t contain the ID in the conditions:
StringEquals | oidc.eks.eu-central-1.amazonaws.com:sub
StringEquals | oidc.eks.eu-central-1.amazonaws.com:aud
Because of the missing ID in the contition, the service account doesn’t work.
Reproduction Steps
Create a CDK project with two stacks. The first stack contains the EKS cluster and a service account.
import * as cdk from '@aws-cdk/core';
import * as eks from '@aws-cdk/aws-eks';
export class EksServiceAccountStack extends cdk.Stack {
readonly cluster: eks.ICluster;
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cluster = new eks.Cluster(this, 'hello-eks', {
defaultCapacity: 1,
version: eks.KubernetesVersion.V1_18,
});
this.cluster = cluster;
cluster.addServiceAccount("MyServiceAccount", {
name: 'my-service-account',
});
}
}
In the second stack, the EKS cluster is imported. Another service account is added.
import * as cdk from '@aws-cdk/core';
import * as eks from '@aws-cdk/aws-eks';
export interface ImportStackProps extends cdk.StackProps {
cluster: eks.ICluster;
}
export class EksServiceAccountImportedStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props: ImportStackProps) {
super(scope, id, props);
const provider = eks.OpenIdConnectProvider.fromOpenIdConnectProviderArn(
this, 'Provider', props.cluster.openIdConnectProvider.openIdConnectProviderArn);
const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
clusterName: props.cluster.clusterName,
kubectlRoleArn: props.cluster.kubectlRole?.roleArn,
openIdConnectProvider: provider,
});
cluster.addServiceAccount("ImportedServiceAccount", {
name: 'imported-service-account',
});
}
}
What did you expect to happen?
An IAM role should be created with an ID at the end.
StringEquals | oidc.eks.eu-central-1.amazonaws.com/id/D457DF56746A2B6FCFECDFC42C68BC42:sub
StringEquals | oidc.eks.eu-central-1.amazonaws.com/id/D457DF56746A2B6FCFECDFC42C68BC42:aud
ARN of IAM role from first stack which is correct: arn:aws:iam::1234567890:role/EksServiceAccountStack2-helloeksMyServiceAccountRo-1M4HOOH29OK2X
What actually happened?
An IAM role for the service account in the imported EKS cluster was created. arn:aws:iam::1234567890:role/EksServiceAccountImported-MyClusterImportedService-EU4V4YNO0UDE
The condition is there - However, the ID is missing.
StringEquals | oidc.eks.eu-central-1.amazonaws.com:sub
StringEquals | oidc.eks.eu-central-1.amazonaws.com:aud
Environment
- **CDK CLI Version : 1.74.0
- **Framework Version: 1.74.0
- **Node.js Version: v12.18.3
- **OS : macOS
- **Language (Version): TypeScript (3.9.7)
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (4 by maintainers)
Top GitHub Comments
@jumi-dev thanks for digging in. Closing in favor of https://github.com/aws/aws-cdk/issues/11705
@iliapolo I already found a workaround when I recognized the relationship with
parseArn
. I copied the ARN directly into the stack instead.I created a central EKS cluster with one stack. Then I should deploy multiple applications into the EKS cluster using separate CDK stacks / Codepipelines to deploy the applications independently. This was the reason I’ve imported the EKS cluster into another stack.