[aws-eks] with IRSA(IAM Roles for Service Accounts) support

[pahud]

🚀 Feature Request

General Information

• 👋 I may be able to implement this feature request

• ⚠️ This feature might incur a breaking change

Description

AWS just announced the IRSA(IAM Roles for Service Accounts) support for Amazon EKS as well as DIY Kubernetes on AWS.
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

It would be great if we can optionally specify the pod role as a property for the aws-eks/lib/k8s-resource to simplify the heavy-lifting.

Proposed Solution

Environment

• CDK CLI Version: 1.6.1
• Module Version: 1.6.1
• OS: all
• Language: all

Other information

[NGL321]

Hey @pahud,

It looks like Cloudformation doesnt yet support IRSA. Lets keep this issue on the backburner until they add support!

😸

[arhea]

I think most of this should be possible. The issue is getting the OIDC provider URL. To @NGL321's point, once Cloudformation supports the OIDC provider URL, I think this can happen.

aws eks describe-cluster --name irptes --query cluster.identity.oidc.issuer --output text

[hlascelles]

Our blog post on this can give guidance for how to do this with a lambda. Could be used as a crib. I think it relates to #5388 too.

https://bambooengineering.io/configuring-eks-for-iam-oidc-using-cloudformation/