This kubernetes controller synchronizes certificates referenced into Ingress resources to AWS ACM. After successful synchronization the ALB annotation alb.ingress.kubernetes.io/certificate-arn is updated with the corresponding certificate ARN.
The prefered authentication method is with IAM roles for Service Accounts. Alternative authentication methods with this controller are surely possible but not tested at this time.
An example of policy to use that will give required access to ACM:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "acmmanager",
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ListTagsForCertificate",
"acm:AddTagsToCertificate",
"acm:RemoveTagsFromCertificate",
"acm:DeleteCertificate",
"acm:ImportCertificate"
],
"Effect": "Allow",
"Resource": [
"arn:aws:acm:*:<AWS_ACCOUNT>:certificate/*"
]
},
{
"Sid": "acmmanagerAllResources",
"Action": [
"acm:ListCertificates",
"acm:ImportCertificate"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}To install acm-sync-manager using Helm:
helm repo add acm-sync-manager https://vdesjardins.github.io/acm-sync-manager
helm install acm-sync-manager/acm-sync-manager --generate-name