in projects/enable-irsa/src/main.py [0:0]
def create_trust_policy(Account: str, OidcUrl: str):
# TODO(jicowan@amazon.com) Append trust policy for re-use with multiple clusters
OidcUrl = OidcUrl.lstrip('https://')
trust_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::" + Account + ":oidc-provider/" + OidcUrl
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
OidcUrl + ":aud": "sts.amazonaws.com",
OidcUrl + ":sub": "system:serviceaccount:kube-system:aws-node"
}
}
}
]
}
return trust_policy