in lib/addons/velero/index.ts [178:228]
protected createServiceAccountWithIamRoles(clusterInfo: ClusterInfo, id: string, namespace: string, s3Bucket: s3.IBucket): ServiceAccount {
// Setup IAM Role for Service Accounts (IRSA) for the Velero Service Account
const veleroServiceAccount = clusterInfo.cluster.addServiceAccount (
id,
{
name: id,
namespace: namespace
}
);
// IAM policy for Velero
const veleroPolicyDocument = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucket"
],
"Resource": [
s3Bucket.arnForObjects("*"),
s3Bucket.bucketArn
]
}
]
};
const veleroCustomPolicyDocument = iam.PolicyDocument.fromJson(veleroPolicyDocument);
const veleroPolicy = new iam.ManagedPolicy(clusterInfo.cluster, "velero-managed-policy", {
document: veleroCustomPolicyDocument
});
veleroServiceAccount.role.addManagedPolicy(veleroPolicy);
return veleroServiceAccount;
}