AWS Service accounts

We make use of IAM Service Accounts to control access to Databases and S3 buckets.

Overview

This requires:

1. Setup of an IAM provider

2. Creation of am IAM policy - this example allows access to the S3 bucket for attachment-store

3. Creation of an IAM role, which

   1. Can assume the role based on the Kubernetes service account and namespace
   2. Has your IAM policy attached

4. Assignment of the role ARN to the Kubernetes Service Account

Terraform helper functions

We have written helper functions that you can repurpose to your deployment. This will:

1. Create the needed IAM OpenID Connect provider
2. Create needed roles for a service account