AWS Policy Definition

< Workload Identities

The policy definition outlines the actions that the Kubernetes service account is allowed to undertake in AWS when running on an AWS EKS cluster, such as interacting with cloud services like DNS zones or cloud storage.

Add your policy in the YAML generated by wf init package or prepare it using the Web Interface. See the CLI instructions section for details where you selected 'yes' when asked if your workload identity required cloud access.

You have two options available when adding a policy:

• Attach the workload identity to one or more existing policies
• Define a custom policy for the workload identity

Web Interface Instructions

Steps

• Attach the workload identity to one or more existing policies:
  • Click the + Add ARNs button
  • Specify an AWS policy ARN without a region or account as per AWS documentation.
  • Repeat above for as many AWS IAM Policies as you need
  • Click the Continue button

• Define a custom policy for the workload identity:
  • Use the text editor to define a policy as per AWS documentation.
  • Use Wayfinder's Templating Language to make the policy specific for different environments or resources.
  • See example: AWS custom IAM policy template

info

• YAML and JSON policies are supported.
• YAML is simpler to use when templating ranges.

Screenshot(s):

• Attach the workload identity to one or more existing policies:

• Define a custom policy for the workload identity:

Properties

• Attach the workload identity to one or more existing policies:

Field	Description
Attach the workload to existing policies	The AWS policy ARN that you want to attach to the workload identity. - Specify without a region or account as per AWS documentation. - Example: arn:aws:iam::aws:policy/AmazonPrometheusQueryAccess

• Define a custom policy for the workload identity:

Field	Description
Policy Definition	The YAML of the custom policy definition. See example template for reference.

What comes next?

If the package requires cloud access to other Providers, then you need to configure the corresponding Policy Definition(s):

• Azure Policy Definition
• GCP Policy Definition

If your package doesn't require further cloud access configuration:

• Provide the configuration for the package

Related Reading

• Learn how to use Wayfinder's System Variables

Examples

AWS custom IAM policy template

Version: "2012-10-17"
Statement:
{{- if .Cluster.DNSZones }}
- Sid: "AllowRoute53ChangeResourceRecordSets"
  Effect: "Allow"
  Action:
  - "route53:ChangeResourceRecordSets"
  Resource:
  {{- range .Cluster.DNSZones }}
  {{- if .AWS }}
  - "arn:aws:route53:::{{ trimPrefix "/" .ZoneID }}"
  {{- end }}
  {{- end }}
{{- end }}
# must always have a valid role for the workload identity to work
- Sid: "AllowRoute53List"
  Effect: "Allow"
  Action:
  - "route53:GetChange"
  - "route53:ListHostedZones"
  - "route53:ListResourceRecordSets"
  - "route53:ListHostedZonesByName"
  Resource:
  - "*"