make IAM roles trust the production EKS Service Principal

eksctl-io · Nov 27, 2023 · cc6a35a · cc6a35a
1 parent 9fbbcfd
commit cc6a35a
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/integration/tests/pod_identity_associations/pod_identity_associations_test.go b/integration/tests/pod_identity_associations/pod_identity_associations_test.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -420,14 +421,14 @@ var (
 		return cfg
 	}
 
-	trustPolicy = aws.String(`{
+	trustPolicy = aws.String(fmt.Sprintf(`{
 		"Version": "2012-10-17",
 		"Statement": [
 		  {
 			"Effect": "Allow",
 			"Principal": {
 			  "Service": [
-				"beta.pods.eks.aws.internal"
+				"%s"
 			  ]
 			},
 			"Action": [
@@ -436,7 +437,7 @@ var (
 			]
 		  }
 		]
-	  }`)
+	  }`, api.EKSServicePrincipal))
 
 	permissionPolicy = api.InlineDocument{
 		"Version": "2012-10-17",

diff --git a/pkg/apis/eksctl.io/v1alpha5/iam.go b/pkg/apis/eksctl.io/v1alpha5/iam.go
@@ -10,6 +10,7 @@ import (
 // Commonly-used constants
 const (
 	AnnotationEKSRoleARN = "eks.amazonaws.com/role-arn"
+	EKSServicePrincipal  = "pods.eks.amazonaws.com"
 )
 
 // ClusterIAM holds all IAM attributes of a cluster

diff --git a/pkg/cfn/template/iam_helpers.go b/pkg/cfn/template/iam_helpers.go
@@ -1,6 +1,9 @@
 package template
 
-import gfn "github.com/weaveworks/goformation/v4/cloudformation/types"
+import (
+	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	gfn "github.com/weaveworks/goformation/v4/cloudformation/types"
+)
 
 // AttachPolicy attaches the specified policy document
 func (t *Template) AttachPolicy(name string, refRole *Value, policyDoc MapOfInterfaces) {
@@ -63,7 +66,7 @@ func MakeAssumeRolePolicyDocumentForPodIdentity() MapOfInterfaces {
 			"sts:TagSession",
 		},
 		"Principal": map[string]string{
-			"Service": "beta.pods.eks.aws.internal",
+			"Service": api.EKSServicePrincipal,
 		},
 	})
 }