DOM-45710 • Enable access to dev-aws-eks-dataplane (#98)

* allow superuser to assume control over the cluster * use unique names
dominodatalab · Jun 1, 2023 · 206c513 · 206c513
1 parent c35e45e
commit 206c513
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/submodules/eks/iam.tf b/submodules/eks/iam.tf
@@ -1,13 +1,22 @@
 data "aws_iam_policy_document" "eks_cluster" {
   statement {
-    sid     = "EKSClusterAssumeRole"
+    sid     = "EKSClusterAssumeRoleService"
     actions = ["sts:AssumeRole"]
 
     principals {
       type        = "Service"
       identifiers = ["eks.${local.dns_suffix}"]
     }
   }
+  statement {
+    sid     = "EKSClusterAssumeRoleUser"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
+    }
+  }
 }
 
 resource "aws_iam_role" "eks_cluster" {