aws

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 2, 2025 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package aws provides utilities for creating and managing AWS IAM resources for Kubernetes workloads running in EKS. It handles the creation of IAM roles, policies, and policy attachments that enable pod identity and KMS access.

The package is designed to work with Pulumi and provides a high-level interface for managing AWS IAM resources, particularly for services that need to interact with AWS KMS for cryptographic operations.

Package aws provides utilities for creating and managing AWS IAM resources for Kubernetes workloads running in EKS. It handles the creation of IAM roles, policies, and policy attachments that enable pod identity and KMS access.

Index

Constants

View Source 
const (
	// IAMPolicyVersion is the standard IAM policy language version
	IAMPolicyVersion = "2012-10-17"

	// Policy effects
	EffectAllow = "Allow"
	EffectDeny  = "Deny"
)

IAM Policy version and effect constants

View Source 
const (
	// EKS pod identity service
	EKSPodsService = "pods.eks.amazonaws.com"
	// EC2 service
	EC2Service = "ec2.amazonaws.com"
)

AWS Services

View Source 
const (
	STSAssumeRoleAction = "sts:AssumeRole"
	STSTagSessionAction = "sts:TagSession"
)

STS Actions

View Source 
const (
	KMSSignAction         = "kms:Sign"
	KMSGetPublicKeyAction = "kms:GetPublicKey"
)

KMS Actions

View Source 
const (
	RoleSuffix                 = "-role"
	PolicySuffix               = "-policy"
	RolePolicyAttachmentSuffix = "-role-policy-attachment"
)

Resource name suffixes

View Source 
const (
	EKSAssumeRoleStatementSid = "AllowEksAuthToAssumeRoleForPodIdentity"
)

IAM statement identifiers

Variables

This section is empty.

Functions

func CreateKMSPolicy 

func CreateKMSPolicy(key pulumi.StringInput) pulumi.StringOutput

CreateKMSPolicy creates a KMS policy document that grants permissions to sign messages and retrieve public keys using the specified KMS key.

Parameters:

  • key: The ARN of the KMS key to create the policy for

Returns:

  • pulumi.StringOutput: A Pulumi output containing the JSON policy document

The policy grants the following permissions:

  • kms:Sign: Allows signing messages using the KMS key
  • kms:GetPublicKey: Allows retrieving the public key associated with the KMS key

Types

type IAMPolicy 

type IAMPolicy struct {
	// Version specifies the policy language version
	Version string `json:"Version"`
	// Statement contains the list of permission statements
	Statement []IAMStatement `json:"Statement"`
}

IAMPolicy represents a complete IAM policy document. It contains a version and a list of statements that define the policy's permissions.

type IAMResources 

type IAMResources struct {
	// Role is the IAM role that can be assumed by the Kubernetes workload
	Role *iam.Role
	// Policy defines the permissions granted to the role
	Policy *iam.Policy
	// PolicyAttachment connects the policy to the role
	PolicyAttachment *iam.RolePolicyAttachment
}

IAMResources contains AWS IAM resources created for a component. These resources work together to provide the necessary permissions for a Kubernetes workload to interact with AWS services.

func CreateIAMResources 

func CreateIAMResources(
	ctx *pulumi.Context,
	name string,
	serviceName string,
	keyArn pulumi.StringInput,
	parent pulumi.Resource,
) (*IAMResources, error)

CreateIAMResources creates IAM resources (role, policy, and policy attachment) for a component. It sets up the necessary permissions for a Kubernetes workload to interact with AWS KMS.

Parameters:

  • ctx: The Pulumi context
  • name: Base name for the IAM resources
  • serviceName: Name of the service that will use these IAM resources
  • keyArn: ARN of the KMS key that the service needs to access
  • parent: Parent Pulumi resource for dependency tracking

Returns:

  • *IAMResources: The created IAM resources
  • error: Any error that occurred during creation

Example: 

resources, err := CreateIAMResources(ctx, "my-service", "my-service", keyArn, parent)
if err != nil {
    return nil, fmt.Errorf("failed to create IAM resources: %w", err)
}

type IAMStatement 

type IAMStatement struct {
	// Sid is an optional identifier for the statement
	Sid string `json:"sid,omitempty"`
	// Effect specifies whether the statement allows or denies access
	Effect string `json:"effect"`
	// Principal specifies who is allowed or denied access
	Principal struct {
		// Service contains a list of AWS services that can assume this role
		Service []string `json:"Service"`
	} `json:"Principal"`
	// Action specifies the AWS actions that are allowed or denied
	Action []string `json:"Action"`
}

IAMStatement represents a statement in an IAM policy document. It defines a single permission statement that specifies what actions are allowed or denied on which resources.

type KMSPolicy 

type KMSPolicy struct {
	// Version specifies the policy language version
	Version string `json:"Version"`
	// Statement contains the list of KMS permission statements
	Statement []KMSStatement `json:"Statement"`
}

KMSPolicy represents a complete KMS policy document. It contains a version and a list of statements that define the KMS permissions.

type KMSStatement 

type KMSStatement struct {
	// Effect specifies whether the statement allows or denies access
	Effect string `json:"Effect"`
	// Action specifies the KMS actions that are allowed or denied
	Action []string `json:"Action"`
	// Resource specifies the KMS key ARN that the permissions apply to
	Resource pulumi.StringInput `json:"Resource"`
}

KMSStatement represents a statement in a KMS policy document. It defines permissions specifically for AWS KMS operations.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.