How entrypoint.sh get permission to update kubeconfig?

update_kubeconfig(){
    if [[ -n ${EKS_ROLE_ARN} ]]; then
        echo "[INFO] got EKS_ROLE_ARN=${EKS_ROLE_ARN}, updating kubeconfig with this role"
        aws eks update-kubeconfig --name $CLUSTER_NAME --kubeconfig $KUBECONFIG --role-arn "${EKS_ROLE_ARN}"
    else
        aws eks update-kubeconfig --name $CLUSTER_NAME --kubeconfig $KUBECONFIG    
    fi
}

Hello pahud, I have a question, this code should run in the code build, how does it get permissions to update kubeconfig?

Hi, good question.

The codebuild project will be running as project.role which is automatically genrated by CDK.

And I grant the required IAM policies for it here so the project.role can describe the cluster and get required info to generate the kubeconfig.

amazon-eks-cicd-codebuild/cdk/lib/cdk-stack.ts

Lines 97 to 100 in cfe10ab

    
           project.addToRolePolicy(new iam.PolicyStatement({ 
        
             actions: ['eks:DescribeCluster'], 
        
             resources: [`${cluster.clusterArn}`], 
        
           }))

And ICYMI there's another magic here

amazon-eks-cicd-codebuild/cdk/lib/cdk-stack.ts

Line 96 in cfe10ab

cluster.awsAuth.addMastersRole(project.role!)

We just addMasterRole for project.role and this IAM role ARN will be added in to Amazon EKS RBAC as system:master so project.role can literally do anything with kubectl on this EKS cluster.

See AWS IAM Mapping in @aws-eks.

This is a detailed and clear answer，Thx :)

	project.addToRolePolicy(new iam.PolicyStatement({
	actions: ['eks:DescribeCluster'],
	resources: [`${cluster.clusterArn}`],
	}))