Setup Federation for AWS
This module provisions IAM resources in AWS for Kosmos to authenticate via OIDC and create EKS clusters. It includes:
- An IAM Role for Kosmos with a Trust Policy defining who can assume the role.
- A Permissions Policy granting Kosmos the necessary permissions to create an EKS cluster.
- Policy Attachment linking the permissions policy to the IAM role.
- (Optional) An OIDC Provider Entry in AWS, representing Kosmos as an OIDC provider.
Variables
Required Variables
Note: Either
oidc_provider_arnor (oidc_client_id,oidc_thumbprint, andoidc_url) must be provided.
| Variable | Description |
|---|---|
oidc_provider_arn | (Required if oidc_client_id, oidc_thumbprint, and oidc_url are not provided) ARN of an existing OIDC provider in AWS for authentication. If specified, the module will not create a new OIDC provider. |
oidc_client_id | (Required if oidc_provider_arn is not specified) Client ID for creating a new OIDC provider in AWS. Ensure the Client ID is already registered with the OIDC provider. |
oidc_thumbprint | (Required if oidc_provider_arn is not specified) Thumbprint of the OIDC provider’s certificate for creating a new OIDC provider in AWS. Generate it by following this
AWS Guide
or using the AWS console on the OIDC provider creation page (without creating one). |
oidc_url | (Required if oidc_provider_arn is not specified) Issuer URL (including the path) of the OIDC provider for creating a new OIDC provider in AWS. |
fleet_name | (Required) Name of the Kosmos fleet. Used as a resource identifier and for subject matching in tokens. |
Optional Variables
| Variable | Description | Default Value |
|---|---|---|
role_name_prefix | Prefix for the IAM role created. | kosmos-operator |
Outputs
| Output Variable | Description |
|---|---|
kosmos_role_arn | ARN of the IAM Role created for Kosmos to assume when creating EKS clusters. |
Example Usage
1. Use an Existing OIDC Provider
module "kosmos-oidc-role-srin-project-xyz" {
source = "../kosmos-aws-credentials-module"
oidc_provider_arn = "arn:aws:iam::<AWS Account ID>:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
fleet_name = var.fleet_name
}
2. Create a New OIDC Provider
module "kosmos-oidc-role-test-create-new-oidc-srin-project-xyz" {
source = "../kosmos-aws-credentials-module"
oidc_client_id = "aaabbbccc"
oidc_thumbprint = "<certificate thumbprint string>"
oidc_url = "https://console.kosmos.spcplatform.com/kosmos-oidc"
fleet_name = "srin-project-xyz"
}
3. Fetch the Module from an S3 Bucket (Existing OIDC Provider Entry)
Note:
- The bucket is restricted to a specific office network.
- If using S3 directly, the module is stored as a
.tar.gzarchive in thesrin-s3-terraform-modulesbucket in theap-southeast-1region. - For authentication details, refer to Terraform Docs .
module "kosmos-oidc-role-srin-project-xyz" {
source = "https://s3.ap-southeast-1.amazonaws.com/srin-s3-terraform-modules/kosmos-aws-identity-v1.0.0.tar.gz"
oidc_provider_arn = "arn:aws:iam::<AWS Account ID>:oidc-provider/console.kosmos.spcplatform.com/kosmos-oidc"
fleet_name = var.fleet_name
}
Download Resources
For complete examples and the latest updates, refer to:
Setup federation using CLI
For federation using CLI instructions, please refer to EKS create and Import documentation