I have an account structure like this:
- management (management account)
I am using AWS IAM IdentityCenter (IDC) to manage access to these accounts and so far, everything is working as expected. I have a permission set named infra-admin
, an IdentityStore group named global-infra-admin
, and account assignments for each of the accounts. The assignments are bound to built-in AWS IAM policies.
In a previous question I was able to figure out how to set up EKS access using IAM IdentityCenter roles.
The problem I have discovered is that in order to grant access into EKS, one needs an actual IAM role ARN, and while IAM IdentityCenter does create these roles in each account there is a binding for, there is no way to determine the IAM roles that exist per-account for a given permission set. As I'm doing everything in Terraform, and I need to grant access into EKS for each of these roles, I need the actual role ARNs, and I can't find a way to get these role ARNs from IdentityCenter APIs, CLI, or Terraform provider.
Since I have N
AWS accounts and I will have M
permission sets, determining these role ARNs is going to be an extremely tedious and error-prone process.
The best solution I have come up with is to do something like this:
provider aws {
alias = mgmt
}
provider aws {
alias = account_dev
}
provider aws {
alias = prod
}
data aws_iam_roles infra_admin_mgmt {
provider = aws.mgmt
name_prefix = 'AWSReservedSSO_infra-admin_[a-f0-9]+'
}
data aws_iam_roles infra_admin_dev {
provider = aws.account_dev
name_prefix = 'AWSReservedSSO_infra-admin_[a-f0-9]+'
}
data aws_iam_roles infra_admin_prod {
provider = aws.prod
name_prefix = 'AWSReservedSSO_infra-admin_[a-f0-9]+'
}
The only other alternative seems to be running an AWS CLI script to find these in a similar fashion.
Is there a way to determine the unique IAM role ARNs for each account in which the permission set is bound?