eksctl-io
Create IAM Service Accounts in a single CloudFormation stack
Why do you want this feature?
As much as I am a fan of CloudFusion layered microstacks, creating a separate CF stack for every IAM service account - for just one isolated resource - seems unnecessary. It means each eksctl cluster can leap from a dozen stacks per cluster to 50-100 stacks per cluster. That means you hit the AWS default stack limit of 200 after only 2-3 eksctl clusters. Users with large clusters can probably need an increased CF stack limit for just one cluster due to this.
While is ok to create a IAM role for e.g. the S3 bucket a Pod needs, creating a CF stack for every Pod that needs an S3 bucket seems - to me - excessive 😄
What feature/behavior/change do you want?
eksctl should generate all the 'serviceAccount' entries in the eksctl config file as one CF stack. CF will add/remove/update those service accounts as required.
This is probably requires some extra legwork for the eksctl create/delete iamserviceaccount command. However, the command line commands can easily patch the iamserviceaccount CF stack JSON using the service account name to insert/remove entries and update the stack.
If there is some reason I don't understand that requires IAM Service Accounts must be separate, then why create stacks at all? There are no imports or exports, no resources that reference other resources, just a single resource will all hard-coded values. So the create/delete could just directly create/delete roles. As eksctl could assume the specified roll to do that.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
There has been one improvement in this area. It used to be that modifying an IAM Service account required deleting and recreating the CFN stack. This was bad because it broke cross-account permissions. This is fixed now and eksctl can modify an IAM Service Account stacks in place.
This new update-stack capability might make it easier to address this issue and move to have one stack for all IAM service accounts for a cluster, rather than one stack per account?
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
@whereisaaron - One stack for all IAM service accounts which were created using eksctl? And it will update the same stack subsequently?
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
@anuj0701 No, I think that the change was simply that it can update the one-stack-per-IAM Service Account. The same mechanism would be needed to implement this improvement, but it hasn't been done yet.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 5 days with no activity.
