Skip to content

OIDC Provider ARN not accepted as Federated Principal for iam-role-for-service-accounts-eks #202

@webdog

Description

@webdog

Description

When using this module paired with the EKS Module, I am passing the OIDC Provider ARN from the EKS module output module.eks.oidc_provider_arn to this module.

I am returning the following error from AWS:

│ Error: failed creating IAM Role (tutorialcluster): MalformedPolicyDocument: Federated principals must be valid domain names or SAML metadata ARNs
│       status code: 400, request id: 2a43ba14-04fb-4cfe-8192-14eb57df28fe
│ 
│   with module.iam_eks_role.aws_iam_role.this[0],
│   on .terraform/modules/iam_eks_role/modules/iam-role-for-service-accounts-eks/main.tf line 25, in resource "aws_iam_role" "this":
│   25: resource "aws_iam_role" "this" {
│ 
╵

It appears that in the dynamic statement block:

dynamic "statement" {
for_each = var.oidc_providers
content {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [statement.value.provider_arn]
}
condition {
test = "StringEquals"
variable = "${replace(statement.value.provider_arn, "/^(.*provider/)/", "")}:sub"
values = [for sa in statement.value.namespace_service_accounts : "system:serviceaccount:${sa}"]
}
}
}
}

...It is unpacking the OIDC Providers map and using the OIDC provider ARN to specify a federated principal. I'm not sure how to proceed, since this ARN is generated by the EKS module. (Line 13 in the above block)

Versions

  • Terraform: 1.1.5
  • Provider(s):
    provider registry.terraform.io/hashicorp/aws v3.74.0
  • provider registry.terraform.io/hashicorp/cloudinit v2.2.0
  • provider registry.terraform.io/hashicorp/hcp v0.22.0
  • provider registry.terraform.io/hashicorp/local v2.1.0
  • provider registry.terraform.io/hashicorp/null v3.1.0
  • provider registry.terraform.io/hashicorp/tls v3.1.0
  • Module: 4.13.2

Reproduction

Steps to reproduce the behavior:

Code Snippet to Reproduce

module "iam_eks_role" {
  source = "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  role_name = lower(var.cluster_info.name)

  oidc_providers = {
    one =  {
      provider_arn = module.eks.oidc_provider_arn
      namespace_service_accounts = [ "default:tutorial" ]
    }
  }
}

Expected behavior

It should accept the OIDC Provider ARN I assume?

Actual behavior

Error message above.

Terminal Output Screenshot(s)

See above.

Additional context

None. Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions