Create viewer IAM role for EKS and grant self assumeRole policy

Sage-Bionetworks-Workflows · May 31, 2024 · 2575e97 · 2575e97
1 parent 7f57cef
commit 2575e97
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/modules/sage-aws-eks/main.tf b/modules/sage-aws-eks/main.tf
@@ -17,6 +17,25 @@ resource "aws_iam_role" "admin_role" {
   tags = var.tags
 }
 
+resource "aws_iam_role" "viewer_role" {
+  name = "eks_viewer_role_${var.cluster_name}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:sts::766808016710:assumed-role/AWSReservedSSO_Developer_92af2c086e7e7f38/[email protected]"
+        }
+        Action = "sts:AssumeRole"
+      },
+    ]
+  })
+
+  tags = var.tags
+}
+
 resource "aws_iam_role_policy_attachment" "admin_policy" {
   role       = aws_iam_role.admin_role.name
   policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
@@ -82,6 +101,19 @@ module "eks" {
         }
       }
     }
+    eks_viewer_role = {
+      kubernetes_groups = []
+      principal_arn     = aws_iam_role.viewer_role.arn
+
+      policy_associations = {
+        eks_admin_role = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
     # https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions
     # TODO: Additional roles that need to be created:
     # AmazonEKSAdminViewPolicy?