Skip to content

feat(aws): activate IAM resources for the EKS CI identity #2564

Description

@devantler

🤖 Generated by the Daily AI Engineer

Problem

Platform#2326 cannot declare the GitHub OIDC provider and EKS CI role yet: the Upbound AWS provider uses SafeStart, so the two required namespaced IAM managed-resource definitions are inactive and the aws tenant ServiceAccount has no permission to apply them.

Proposed direction

Activate only OpenIDConnectProvider and Role for provider-aws-iam v2.6.1, then grant the aws ServiceAccount namespace-local CRUD for exactly those resources. The role can carry its least-privilege permissions as a managed inline policy, avoiding separate Policy and attachment CRDs. Keep the tenant artifact empty in this slice, so merging creates no AWS resources; the follow-up identity manifests remain the activation checkpoint.

Acceptance criteria

  • A dedicated AWS ManagedResourceActivationPolicy activates exactly the two namespaced IAM MRDs needed by platform#2326.
  • A namespaced Role and RoleBinding grant the aws ServiceAccount only those two resource kinds and standard reconciliation verbs.
  • Both local and prod overlays pass static validation; no AWS managed resource is added.
  • Comments make the dark/no-AWS-side-effect sequencing explicit.

Part of #2326.

Rough size: S.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions