in cdk/backend/backend_stack.py [0:0]
def add_service_account(self, cluster, name, namespace):
"""
workaround to add helm role to service account
"""
# create role
conditions = core.CfnJson(self, 'ConditionJson',
value = {
"%s:aud" % cluster.cluster_open_id_connect_issuer : "sts.amazonaws.com",
"%s:sub" % cluster.cluster_open_id_connect_issuer : "system:serviceaccount:%s:%s" % (namespace, name),
},
)
principal = iam.OpenIdConnectPrincipal(cluster.open_id_connect_provider).with_conditions({
"StringEquals": conditions,
})
role = iam.Role(self, 'ServiceAccountRole', assumed_by=principal)
# create policy for the service account
statements = []
with open('backend/iam_policy.json') as f:
data = json.load(f)
for s in data["Statement"]:
statements.append(iam.PolicyStatement.from_json(s))
policy = iam.Policy(self, "LBControllerPolicy", statements=statements)
policy.attach_to_role(role)
return eks.KubernetesManifest(self, "ServiceAccount", cluster=cluster,
manifest=[{
"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"name": name,
"namespace": namespace ,
"labels": {
"app.kubernetes.io/name": name,
"app.kubernetes.io/managed-by": "Helm",
},
"annotations": {
"eks.amazonaws.com/role-arn": role.role_arn,
"meta.helm.sh/release-name": name,
"meta.helm.sh/release-namespace": namespace,
},
},
}],
);