Class: KubesAws::IamRole
- Inherits:
-
Object
show all
- Extended by:
- Memoist
- Includes:
- Prebaked, Logging, Services
- Defined in:
- lib/kubes_aws/iam_role.rb,
lib/kubes_aws/iam_role/prebaked.rb
Defined Under Namespace
Modules: Prebaked
Instance Attribute Summary collapse
Instance Method Summary
collapse
-
#add_inline_policies ⇒ Object
-
#add_mananged_policies ⇒ Object
-
#arn ⇒ Object
public method to keep: arn.
-
#aws ⇒ Object
-
#aws_account ⇒ Object
public method to keep: aws_account.
-
#call ⇒ Object
-
#create_iam_role ⇒ Object
-
#create_open_id_connect_provider ⇒ Object
-
#initialize(app:, cluster:, namespace: nil, managed_policies: [], inline_policies: [], role_name: nil, ksa: nil) ⇒ IamRole
constructor
A new instance of IamRole.
-
#issuer_url ⇒ Object
-
#normalize_inline_policy(policy) ⇒ Object
resp = client.put_role_policy( policy_document: “"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"s3:*","Resource":"*"}”, policy_name: “S3AccessPolicy”, role_name: “S3Access”, ).
-
#normalize_managed_policy(policy) ⇒ Object
AmazonS3ReadOnlyAccess => arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess.
-
#role_exist? ⇒ Boolean
-
#trust_policy ⇒ Object
Methods included from Prebaked
#prebaked_policies, #secrets_read_only
Methods included from Logging
#logger
Methods included from Services
#eks, #iam, #secrets, #ssm
Constructor Details
#initialize(app:, cluster:, namespace: nil, managed_policies: [], inline_policies: [], role_name: nil, ksa: nil) ⇒ IamRole
14
15
16
17
18
19
20
21
|
# File 'lib/kubes_aws/iam_role.rb', line 14
def initialize(app:, cluster:, namespace:nil, managed_policies: [], inline_policies: [], role_name: nil, ksa: nil)
@app, @cluster, @managed_policies, @inline_policies = app, cluster, managed_policies, inline_policies
@ksa = ksa || @app
@namespace = namespace || "#{@app}-#{Kubes.env}"
@role_name = role_name || "#{@app}-#{Kubes.env}"
end
|
Instance Attribute Details
#role_name ⇒ Object
public method to keep: role_name
13
14
15
|
# File 'lib/kubes_aws/iam_role.rb', line 13
def role_name
@role_name
end
|
Instance Method Details
#add_inline_policies ⇒ Object
30
31
32
33
34
35
|
# File 'lib/kubes_aws/iam_role.rb', line 30
def add_inline_policies
@inline_policies.each do |policy|
params = normalize_inline_policy(policy)
iam.put_role_policy(params)
end
end
|
#add_mananged_policies ⇒ Object
66
67
68
69
70
71
72
73
74
75
|
# File 'lib/kubes_aws/iam_role.rb', line 66
def add_mananged_policies
@managed_policies.each do |policy|
policy_arn = normalize_managed_policy(policy)
iam.attach_role_policy(
role_name: @role_name,
policy_arn: policy_arn,
)
end
logger.debug "IAM Policies added to #{@role_name}"
end
|
#arn ⇒ Object
public method to keep: arn
94
95
96
|
# File 'lib/kubes_aws/iam_role.rb', line 94
def arn
"arn:aws:iam::#{aws_account}:role/#{@role_name}"
end
|
#aws ⇒ Object
133
134
135
|
# File 'lib/kubes_aws/iam_role.rb', line 133
def aws
AwsData.new
end
|
#aws_account ⇒ Object
public method to keep: aws_account
99
100
101
|
# File 'lib/kubes_aws/iam_role.rb', line 99
def aws_account
aws.account
end
|
#call ⇒ Object
23
24
25
26
27
28
|
# File 'lib/kubes_aws/iam_role.rb', line 23
def call
create_open_id_connect_provider
create_iam_role
add_mananged_policies
add_inline_policies
end
|
#create_iam_role ⇒ Object
57
58
59
60
61
62
63
64
|
# File 'lib/kubes_aws/iam_role.rb', line 57
def create_iam_role
return if role_exist?
iam.create_role(
role_name: @role_name,
assume_role_policy_document: trust_policy,
)
logger.debug "Created IAM Role #{@role_name}"
end
|
#create_open_id_connect_provider ⇒ Object
52
53
54
55
|
# File 'lib/kubes_aws/iam_role.rb', line 52
def create_open_id_connect_provider
open_id = OpenId.new(@cluster)
open_id.create_provider
end
|
#issuer_url ⇒ Object
127
128
129
130
|
# File 'lib/kubes_aws/iam_role.rb', line 127
def issuer_url
resp = eks.describe_cluster(name: @cluster)
resp.cluster.identity.oidc.issuer
end
|
#normalize_inline_policy(policy) ⇒ Object
resp = client.put_role_policy(
policy_document: "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}}",
policy_name: "S3AccessPolicy",
role_name: "S3Access",
)
42
43
44
45
46
47
48
49
50
|
# File 'lib/kubes_aws/iam_role.rb', line 42
def normalize_inline_policy(policy)
prebaked = prebaked_policies[policy]
policy = prebaked if prebaked
policy_document = policy[:policy_document]
policy[:policy_document] = JSON.dump(policy_document) if policy_document.is_a?(Hash)
policy[:role_name] = @role_name
policy
end
|
#normalize_managed_policy(policy) ⇒ Object
AmazonS3ReadOnlyAccess => arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
78
79
80
81
82
83
84
|
# File 'lib/kubes_aws/iam_role.rb', line 78
def normalize_managed_policy(policy)
if policy.include?("arn:")
policy
else
"arn:aws:iam::aws:policy/#{policy}"
end
end
|
#role_exist? ⇒ Boolean
86
87
88
89
90
91
|
# File 'lib/kubes_aws/iam_role.rb', line 86
def role_exist?
iam.get_role(role_name: @role_name)
true
rescue Aws::IAM::Errors::NoSuchEntity
false
end
|
#trust_policy ⇒ Object
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# File 'lib/kubes_aws/iam_role.rb', line 103
def trust_policy
issuer_host = issuer_url.sub('https://','')
provider_arn = "arn:aws:iam::#{aws_account}:oidc-provider/#{issuer_host}"
" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"\#{provider_arn}\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"\#{issuer_host}:sub\": \"system:serviceaccount:\#{@namespace}:\#{@ksa}\"\n }\n }\n }\n ]\n }\n JSON\nend\n"
|