0

I have a service account, and this needs access to multiple aws services. Is there any way we could specify multiple role an annotations, or do we expect to create a generic role and give access to all the required services?

The below not supported?

enter image description here

ChatGPT says,

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/my-role-1
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/my-role-2
enthusiast
  • 355
  • 1
  • 5
  • 16
  • 1
    [Please do not upload images of code/data/errors.](//meta.stackoverflow.com/q/285551) You can't use PNG files as Kubernetes configuration at all; can you [edit] the question to include plain-text YAML instead? – David Maze Mar 14 '23 at 11:03
  • 1
    Just in general, I don't think you're ever allowed to have multiple AWS IAM roles; I think you can only attach one role to an EC2 instance, for example, and if you use the Amazon APIs to switch roles, the new credentials have only the new role in them. – David Maze Mar 14 '23 at 11:05

1 Answers1

1

yes its not supported like what you shown.

example supported:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/xxxx

your options is to use 1 iam role arn like above, with multiple IAM policy attached. I don't think its hard to add multiple policy to a role.

kholisrag
  • 353
  • 2
  • 13
  • Its possible to attach multiple policies to a role. But our idea is least privilege, reusability and granularity. In that case, we maintain different roles. As per our standards, we don't create custom roles per requirement. so we have two roles that satisfies the requirement. ChatGPT says this an option (updated question) which I dont think possible as duplicate keys. – enthusiast Mar 22 '23 at 05:55
  • yes, I believe its not possible too, well hard fact tho, that we need to maintain 1 role per serviceaccount with one / more policies – kholisrag Mar 23 '23 at 08:25