-
Open the IAM console at https://console.aws.amazon.com/iam/.
-
In the left navigation pane, choose Policies and then choose Create policy.
-
Choose the JSON tab.
-
In the Policy Document field, paste the Komiser recommended policy.
-
Choose Review policy.
-
Enter a name and description for your policy and then choose Create policy.
-
Record the Amazon Resource Name (ARN) of the policy to use later when you create your role.
-
Copy the following code block to your computer.
read -r -d '' TRUST_RELATIONSHIP <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OIDC_PROVIDER}:aud": "sts.amazonaws.com", "${OIDC_PROVIDER}:sub": "system:serviceaccount:${NAMESPACE}:komiser" } } } ] } EOF echo "${TRUST_RELATIONSHIP}" > trust.json
NOTE: Make sure to substitute ${NAMESPACE} for the namespace you will deploy the helm chart in. If deployed in any other namespace, you will see sts:AssumeRoleWithWebIdentity failure messages in the pod logs.
-
Run the modified code block from the previous step to create a file named
trust.json
. -
Run the following AWS CLI command to create the role. Replace
my-iam-role
with a name for your IAM role, andmy-role-description
with a description for your role.aws iam create-role --role-name my-iam-role --assume-role-policy-document file://trust.json --description "my-role-description"
-
Run the following command to attach an IAM policy to your role. Replace
my-iam-role
with the name of your IAM role,111122223333
with your account ID (or with aws, if you're attaching an AWS managed policy), andmy-iam-policy
with the name of an existing policy that you created or an IAM AWS managed policy.aws iam attach-role-policy --role-name my-iam-role --policy-arn=arn:aws:iam::111122223333:policy/my-iam-policy