Panfactum LogoPanfactum
Infrastructure ModulesSubmodulesKuberneteskube_sa_auth_workflow
kube_sa_auth_workflow
Beta
Submodule
Source Code Link

Argo Workflow Authorization for Kubernetes Service Account

Provides a Kubernetes Service Account the necessary permissions to run an Argo Workflow Pod.

This includes:

  • Providing access to the correct Argo CRs
  • Providing access to the Argo artifact bucket

Providers

The following providers are needed by this module:

  • aws (5.80.0)

  • kubectl (2.1.3)

  • kubernetes (2.34.0)

  • pf (0.0.5)

  • random (3.6.3)

Required Inputs

The following input variables are required:

service_account

Description: The name of the service account that should be able to assume the AWS permissions.

Type: string

service_account_namespace

Description: The namespace of the service account.

Type: string

Optional Inputs

The following input variables are optional (have default values):

annotate_service_account

Description: Whether or not to annotate the service account with the AWS role ARN

Type: bool

Default: true

extra_aws_permissions

Description: Extra JSON-encoded AWS permissions to assign to the workflow

Type: string

Default: "{}"

ip_allow_list

Description: A list of IPs that can use the service account token to authenticate with AWS API

Type: list(string)

Default: []

Outputs

The following outputs are exported:

policy_arn

Description: The ARN of the policy assigned to the role.

role_arn

Description: The ARN of the AWS role created for the service account.

role_name

Description: The name of the AWS role created for the service account.

service_account_annotations

Description: The annotations to apply to the service account

Usage

IP Whitelisting

By default, this module's IRSA authentication will only work when the service account token is presented from an IP address inside the cluster (this also includes the cluster's public NAT IPs).

This limits the usefulness of tokens that are extracted from the cluster by an attacker.

The underlying discovery mechanism for the whitelist defaults works by searching for resource tags assigned in the aws_vpc and aws_eks modules. If you need additional IPs or don't use those modules, you must manually specify those IPs via the ip_allow_list variable.