This repo serves as a demo to accompany this blog post, which goes through the mapping process for tying an EKS ServiceAccount to an IAM Role. Whereas the first two sections of the blog post discuss some alternate ways to do it, and how that mapping is achieved in the AWS inner workings, this shows the recommended approach, which leverages OpenTofu to create the ServiceAccount and IAM Role in a repeatable, automated way.
Feel free to clone, fork, copy/paste as much as you want from this repo.
Make sure you have an AWS context set via the AWS CLI, and an active Kubernetes context set via kubectl.
- Change the variables in
./vars-files/dvelopment.tfvarsto match your EKS region and cluster. - Change the variable string values in
main.tffor theServiceAccountname and target namespace; alternatively, you can add those to./vars.tfand set them as top-level variables as well. - Run
tofu initto install providers and the demo module. - Run
tofu plan --var-file ./vars-files/development.tfvarsto see the resources that will be created. - Run
tofu apply --var-file ./vars-files/development.tfvarsto create the resources. - Run
tofu destroy --var-file ./vars-files/development.tfvarsto tear everything down.