This repository contains an AWS CloudFormation Custom Resource that creates an AWS IAM Role that is assumable by a Kubernetes Service Account. This role is known as an IRSA, or IAM Role for Service Account. This role can be associated with an Amazon EKS Cluster that you're creating in the same CloudFormation stack. Alternatively, the EKS Cluster can be created in a different stack and referenced by name.

For ease of implementation, this repository also contains a CDK Construct library you can import and use to easily create a Role. This is the quickest and most programmatic way to build the Role.

Alternatively, a SAM Template is available that you can use to deploy the Custom Resource Lambda Functions to your account and reference in your YAML or JSON CloudFormation templates.

Install the Construct Library into your TypeScript project as follows:

npm install amazon-eks-irsa-cfn

In your source code, import the Construct classes:

import { Role, OIDCIdentityProvider } from 'amazon-eks-irsa-cfn';

Then declare the Constructs in your CDK Stack or Construct. The Role class implements IRole and can be used anywhere an IRole is needed.

See also https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html for a list of additional properties that can be supplied when instantiating a Role.

const provider = new OIDCIdentityProvider(this, 'Provider', {
    clusterName: 'MyCluster'
});

const role = new Role(this, 'Role', {
    clusterName: 'MyCluster',
    serviceAccount: 'myServiceAccount',
    namespace: 'default',
    // All other properties available in an `aws-iam.Role` class are available
    // e.g. `path`, `maxSessionDuration`, `description`, etc.
});

There is a SAM Template located in the lambda-packages folder. It also properly associates the IAM Policies needed for the Lambda functions to execute properly.

To deploy it, you can run:

sam build
sam deploy

The Stack that is created by the Template exports the following values:

• EKSIRSARoleCreationFunction - Role creation Lambda function ARN
• OIDCIdentityProviderCreationFunction - OIDC identity provider creation Lambda function ARN

Once you've deployed the package, you can refer to the Lambda functions in your CloudFormation Stacks.

Here's an example Stack fragment that uses these functions to power Custom Resources:

Resources:
    MyIdentityProvider:
        Type: Custom::OIDCIdentityProvider
        Properties:
            ServiceToken: !ImportValue OIDCIdentityProviderCreationFunction
            ClusterName: MyCluster

    MyRole:
        Type: Custom::ServiceAccountRole
        Properties:
            ServiceToken: !ImportValue EKSIRSARoleCreationFunction
            ClusterName: MyCluster
            ServiceAccount: myServiceAccount
            # All other properties supported by AWS::IAM::Role can be
            # added here, like Description, Policies, etc.

This project is licensed under the Apache-2.0 License.