Sevice Account

APP_NODE_GROUP_ASG_NAME=$(aws eks describe-nodegroup --cluster-name wsi-eks-cluster --nodegroup-name wsi-app-nodegroup --query "nodegroup.resources.autoScalingGroups[].name" --output text)
INSTANCE_ID=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $APP_NODE_GROUP_ASG_NAME --query "AutoScalingGroups[0].Instances[0].InstanceId" --output text)
SECURITY_GROUP_ID=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query "Reservations[].Instances[].SecurityGroups[].GroupId" --output text)
RDS_SECURITY_GROUP=$(aws ec2 describe-security-groups --filters Name=group-name,Values=wsi-rds-sg --query "SecurityGroups[*].GroupId" --output text)

aws ec2 authorize-security-group-ingress --group-id $RDS_SECURITY_GROUP --protocol tcp --port 3307 --source-group $SECURITY_GROUP_ID >> /dev/null

eksctl create iamserviceaccount \\
    --name rds-pull-sa \\
    --region=ap-northeast-2 \\
    --cluster wsi-eks-cluster \\
    --namespace=wsi \\
    --attach-policy-arn "arn:aws:iam::aws:policy/AmazonRDSFullAccess" \\
    --override-existing-serviceaccounts \\
    --approve

eksctl create iamserviceaccount \\
    --name dynamodb-pull-sa \\
    --region=ap-northeast-2 \\
    --cluster wsi-eks-cluster \\
    --namespace=wsi\\
    --attach-policy-arn "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" \\
    --override-existing-serviceaccounts \\
    --approve

helm repo add stakater <https://stakater.github.io/stakater-charts>
helm repo update
helm install reloader stakater/reloader

#!/bin/bash
ROLE_ARN=$(eksctl get iamserviceaccount --cluster wsi-eks-cluster --name dynamodb-pull-sa --namespace wsi --region ap-northeast-2 --output json | jq -r '.[].status.roleARN')
ROLE_NAME=$(aws iam get-role --role-name $(aws iam list-roles --query "Roles[?Arn=='$ROLE_ARN'].RoleName" --output text) --query "Role.RoleName" --output text)
keys=$(aws kms list-keys --output json)
key_ids=$(echo $keys | jq -r '.Keys[].KeyId')
for key_id in $key_ids; do
    name_tag=$(aws kms list-resource-tags --key-id $key_id --query "Tags[].TagValue" --output text 2> /dev/null)
    if [ "$name_tag" == "dynamodb-kms" ]; then
        kms_arn=$(aws kms describe-key --key-id $key_id --query "KeyMetadata.Arn" --output text)
    fi
done

aws iam put-role-policy \\
    --role-name $ROLE_NAME \\
    --policy-name AllowKMSDecrypt \\
    --policy-document "{
        \\"Version\\": \\"2012-10-17\\",
        \\"Statement\\": [
            {
                \\"Effect\\": \\"Allow\\",
                \\"Action\\": \\"kms:Decrypt\\",
                \\"Resource\\": \\"${kms_arn}\\"
            }
        ]
    }"

KMS Policy (DynamoDB KMS Policy 수정하기)