Argo Workflow Authorization for Kubernetes Service Account
Provides a Kubernetes Service Account the necessary permissions to run an Argo Workflow Pod.
This includes:
- Providing access to the correct Argo CRs
- Providing access to the Argo artifact bucket
Providers
The following providers are needed by this module:
-
aws (5.80.0)
-
kubectl (2.1.3)
-
kubernetes (2.34.0)
-
pf (0.0.5)
-
random (3.6.3)
Required Inputs
The following input variables are required:
service_account
Description: The name of the service account that should be able to assume the AWS permissions.
Type: string
service_account_namespace
Description: The namespace of the service account.
Type: string
Optional Inputs
The following input variables are optional (have default values):
annotate_service_account
Description: Whether or not to annotate the service account with the AWS role ARN
Type: bool
Default: true
extra_aws_permissions
Description: Extra JSON-encoded AWS permissions to assign to the workflow
Type: string
Default: "{}"
ip_allow_list
Description: A list of IPs that can use the service account token to authenticate with AWS API
Type: list(string)
Default: []
Outputs
The following outputs are exported:
policy_arn
Description: The ARN of the policy assigned to the role.
role_arn
Description: The ARN of the AWS role created for the service account.
role_name
Description: The name of the AWS role created for the service account.
service_account_annotations
Description: The annotations to apply to the service account
Usage
IP Whitelisting
By default, this module's IRSA authentication will only work when the service account token is presented from an IP address inside the cluster (this also includes the cluster's public NAT IPs).
This limits the usefulness of tokens that are extracted from the cluster by an attacker.
The underlying discovery mechanism for the whitelist defaults works by searching for resource tags
assigned in the aws_vpc and aws_eks
modules. If you need additional IPs or don't use those modules, you must manually specify those IPs via the ip_allow_list
variable.