AWSTemplateFormatVersion: '2010-09-09' Description: 'Create the IAM Roles Anywhere resources required for EKS Hybrid Nodes and the EKS Hybrid Nodes IAM role' Metadata: Version: Number: "v0.0.5" Parameters: RoleName: Type: String Description: The role name for the EKS Hybrid Nodes IAM role Default: 'AmazonEKSHybridNodesRole' CertAttributeTrustPolicy: Type: String Description: The certificate attribute to use in the condition for the IAM Roles Anywhere AssumeRole action. Default: '${aws:PrincipalTag/x509Subject/CN}' AllowedValues: - '${aws:PrincipalTag/x509Subject/CN}' - '$(aws:PrincipalTag/x509SAN/Name/CN}' CABundleCert: Type: String Description: The PEM formatted CA certificate body Resources: IAMRATrustAnchor: Type: AWS::RolesAnywhere::TrustAnchor Properties: Enabled: true Name: !Sub '${AWS::StackName}-iamra-trust-anchor' Source: SourceType: CERTIFICATE_BUNDLE SourceData: X509CertificateData: !Ref CABundleCert IAMRAProfile: Type: AWS::RolesAnywhere::Profile DependsOn: EKSHybridNodesRole Properties: Enabled: true Name: !Sub '${AWS::StackName}-iamra-profile' RoleArns: - !GetAtt EKSHybridNodesRole.Arn AcceptRoleSessionName: true EKSHybridNodesRole: Type: AWS::IAM::Role DependsOn: IAMRATrustAnchor Properties: RoleName: !Ref RoleName ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly Policies: - PolicyName: EKSDescribeCluster PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'eks:DescribeCluster' Resource: '*' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - rolesanywhere.amazonaws.com Action: - 'sts:TagSession' - 'sts:SetSourceIdentity' Condition: ArnEquals: 'aws:SourceArn': !GetAtt IAMRATrustAnchor.TrustAnchorArn - Effect: Allow Principal: Service: - rolesanywhere.amazonaws.com Action: - 'sts:AssumeRole' Condition: StringEquals: 'sts:RoleSessionName': !Ref CertAttributeTrustPolicy Outputs: EKSHybridNodesRole: Description: EKS Hybrid Nodes IAM role Value: !Ref EKSHybridNodesRole Export: Name: EKSHybridNodesRole EKSHybridNodesRoleARN: Description: ARN of the EKS Hybrid Nodes IAM role Value: !GetAtt EKSHybridNodesRole.Arn Export: Name: EKSHybridNodesRoleARN IAMRATrustAnchorARN: Description: ARN of the IAM Roles Anywhere trust anchor Value: !GetAtt IAMRATrustAnchor.TrustAnchorArn Export: Name: IRATrustAnchorARN IAMRAProfileARN: Description: ARN of the IAM Roles Anywhere profile Value: !GetAtt IAMRAProfile.ProfileArn Export: Name: IAMRAProfileARN