From 0a6e51d63a0c4c820bac6d648368198031ddff53 Mon Sep 17 00:00:00 2001 From: Berk Dehrioglu Date: Fri, 26 Apr 2024 11:00:09 +0300 Subject: [PATCH] fix alb role trust policy to match wildcard names (#296) --- CHANGELOG.md | 4 ++++ controllers/common_test.go | 2 +- pkg/iam/route53_template.go | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d77cd26..6a3884b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed + +- Changed service account matching `StringLike` to accommodate wildcard full names. + ## [0.22.0] - 2024-04-15 ### Changed diff --git a/controllers/common_test.go b/controllers/common_test.go index 13e0af4e..8eeddb39 100644 --- a/controllers/common_test.go +++ b/controllers/common_test.go @@ -120,7 +120,7 @@ var ALBControllerRoleInfo = RoleInfo{ }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { - "StringEquals": { + "StringLike": { "irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:*:aws-load-balancer-controller" } } diff --git a/pkg/iam/route53_template.go b/pkg/iam/route53_template.go index 215e56b8..f53399d9 100644 --- a/pkg/iam/route53_template.go +++ b/pkg/iam/route53_template.go @@ -42,7 +42,7 @@ const albControllerTrustIdentityPolicyIRSA = `{ }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { - "StringEquals": { + "StringLike": { "{{.CloudFrontDomain}}:sub": "system:serviceaccount:*:{{.ServiceAccount}}" } } @@ -54,7 +54,7 @@ const albControllerTrustIdentityPolicyIRSA = `{ }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { - "StringEquals": { + "StringLike": { "{{.AdditionalCloudFrontDomain}}:sub": "system:serviceaccount:*:{{.ServiceAccount}}" } }