IRSA 설정

PROJECT_NAME="nestjs-boilerplate"

cat << EOF > $PROJECT_NAME-access-asm.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:BatchGetSecretValue",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:ap-southeast-1:${ACCOUNT_ID}:secret:${PROJECT_NAME}/production/*"
            ]
        }
    ]
}
EOF

aws iam create-policy --policy-name ${PROJECT_NAME}-prod-policy --policy-document file://$PROJECT_NAME-access-asm.json > $PROJECT_NAME-policy.json

policyArn=$(jq -r '.Policy.Arn' $PROJECT_NAME-policy.json)
echo $policyArn

eksctl create iamserviceaccount \
    --name ${PROJECT_NAME}-prod-service-account \
    --namespace ${PROJECT_NAME} \
    --cluster main \
    --attach-policy-arn ${policyArn} \
    --approve \
    --override-existing-serviceaccounts

IRSA 동작 딥다이브에서 cli 명령어로 뭐에 매핑되어있는 지 찾아내는 것 추가

Previous프로젝트 배포 NextSecrets Store CSI Driver

Last updated 11 months ago

Was this helpful?