aws-for-fluent-bit chart missing rbac serviceaccount role arn annotation

[rojomisin]

how do we pass the role arn for the service account? annotation?

docs list duplicate key too

is one of those meant to show how to pass a role 🤞

[andynelson]

You can do this by setting the following in values.yaml

serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::***YOUR AWS ACCOUNT NUMBER***:role/***NAME OF YOUR ROLE***

The role needs to trust the OIDC issuer for your cluster - put this into the role's trust relationship policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowFromOIDC",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::***YOUR AWS ACCOUNT NUMBER***:oidc-provider/oidc.eks.***REGION***.amazonaws.com/id/***ID***"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.***REGION***.amazonaws.com/id/***ID***:sub": "system:serviceaccount:***KUBERNETES NAMESPACE***:***SERVICE ACCOUNT NAME***"
        }
      }
    }
  ]
}

[RalphSleighK]

This just tripped me up, the values.yaml has

serviceAccount:
  create: true
  annotations: {}
  name:

...

annotations:
  {}
  # iam.amazonaws.com/role: arn:aws:iam::123456789012:role/role-for-fluent-bit

Suggesting the role goes in annotations rather than serviceAccount.annotations