Skip to content

Instantly share code, notes, and snippets.

@gbaufake

gbaufake/crossplane-role.yaml

Last active March 31, 2025 21:18
Show Gist options
  • Save gbaufake/9b6d3f61153f004ecef7b621d40e525a to your computer and use it in GitHub Desktop.
Save gbaufake/9b6d3f61153f004ecef7b621d40e525a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
crossplane-role.yaml
--
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
name: crossplane-provider-role
spec:
forProvider:
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<MANAGEMENT-ACCOUNT-ID>:role/crossplane-management-role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::<MANAGEMENT-ACCOUNT-ID>:role/crossplane-management-role"
}
}
}
]
}
policies:
- name: crossplane-provider-policy
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"ec2:*",
"rds:*",
"iam:*"
],
"Resource": "*"
}
]
}
--
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: aws-member-prod
spec:
credentials:
source: InjectedIdentity
aws:
assumeRoleARN: "arn:aws:iam::<PROD-ACCOUNT-ID>:role/crossplane-provider-role"
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: aws-member-dev
spec:
credentials:
source: InjectedIdentity
aws:
assumeRoleARN: "arn:aws:iam::<DEV-ACCOUNT-ID>:role/crossplane-provider-role"
---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
name: crossplane-eks-admin-role
spec:
forProvider:
assumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<MANAGEMENT-ACCOUNT-ID>:oidc-provider/<OIDC-PROVIDER-ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC-PROVIDER-ID>:sub": "system:serviceaccount:crossplane-system:crossplane-provider-aws"
}
}
}
]
}
managedPolicies:
- arn:aws:iam::aws:policy/AdministratorAccess
---
apiVersion: organizations.aws.crossplane.io/v1beta1
kind: Policy
metadata:
name: crossplane-role-permissions
spec:
forProvider:
content: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossplaneMinimalAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"rds:DescribeDBInstances",
"iam:GetRole",
"iam:ListRolePolicies"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::*:role/crossplane-minimal-role"
}
}
},
{
"Sid": "DenyAllOtherAccess",
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"rds:DescribeDBInstances",
"iam:GetRole",
"iam:ListRolePolicies"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::*:role/crossplane-minimal-role"
}
}
}
]
}
type: SERVICE_CONTROL_POLICY
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment