Can't create iamserviceaccount with wildcard in the service account name

[kmcarol26]

What were you trying to accomplish?

I am trying to create an iamserviceaccount using a configuration file. The name of the service account is provider-aws-*. The * is required here since that is replaced with a release number. You can read more about why this is needed here, if you're interested.

What happened?

I get an error because the eksctl command tries to create a stack name with the service account name which has a * and that violates naming convention for the cloud formation stack name

How to reproduce it?

config.yaml

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: provider-aws-*
        namespace: crossplane-system
      attachPolicyARNs:
        - "REDACTED"
      roleName: test-role
      roleOnly: true
Command used:

eksctl create iamserviceaccount --config-file="config.yaml" --approve --override-existing-serviceaccounts

Logs

2022-03-11 15:07:44 [ℹ] 1 error(s) occurred and IAM Role stacks haven't been updated properly, you may wish to check CloudFormation console 2022-03-11 15:07:44 [✖] creating CloudFormation stack "eksctl-test-cluster-addon-iamserviceaccount-crossplane-system-provider-aws-*": ValidationError: 1 validation error detected: Value 'eksctl-test-cluster-addon-iamserviceaccount-crossplane-system-provider-aws-*' at 'stackName' failed to satisfy constraint: Member must satisfy regular expression pattern: [a-zA-Z][-a-zA-Z0-9]* status code: 400, request id: d82a6797-3439-43c0-84d2-8b2351f4ddbe
Anything else we need to know?

macOS Catalina
Using eksctl installed via brew

Versions

$ eksctl info

eksctl info
eksctl version: 0.86.0
kubectl version: v1.23.2
OS: darwin

[Skarlso]

Hi @kmcarol26.

That guide is a bit misleading, but I believe the crossplane CLI will create that or something like that. You can see in the steps that the name is actually completely different and whatever you want. The crossplane CLI needs to create that. Please confirm.

[kmcarol26]

@Skarlso I don't see anywhere in the guide that the name is customizable. However I am currently enquiring with the Crossplane team if that's possible. Either way, is it safe to assume that there's no way we can achieve a Trust relationship that uses a StringLike condition that can be used for wildcard characters like the below?

      "Condition": {
        "StringLike": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:provider-aws-*"
        }
      }```

[Skarlso]

That trust relationship in that guide is created via the aws tool, not eksctl. eksctl doesn't create trust relationship connections.

[kmcarol26]

@Skarlso Yes, the guide does not create the role via eksctl but I am using eksctl's iamserviceaccounts to create an iamserviceaccount which will create an IAM role with the trust relationship. The below is the config file I used. I have used this for creating other roles with trust relationships as well, however this one has the wildcard(*) which does not work well with eksctl

  withOIDC: true
  serviceAccounts:
    - metadata:
        name: provider-aws-*
        namespace: crossplane-system
      attachPolicyARNs:
        - "REDACTED"
      roleName: test-role
      roleOnly: true
Command used:

[Skarlso]

so I'm talking about this:

If you used the install command above you should see a ServiceAccount in the output named provider-aws-*

This is saying that if you used the helm install command above you should have a name like that.

And the name of the role:

IAM_ROLE_NAME=provider-aws # name for IAM role, can be anything you want

So it can be anything like that. I'm not sure, this guide is super confusing about that name. Do they literally mean an asterix? We can't create that sadly, because that is an invalid name as you saw from the error message coming from AWS. And we use that name for the stack that is created. :/ we could potentially do something like, override, or something. But in that case, it would be difficult to find the associated role name. Because we rely on reproducably reconstructing names, like... we know the cluster name so there should be a thing with $CLUSTER_NAME-role or something like that, if that makes sense.

So in short, no, right now, it's not possible, sorry. :/

[kmcarol26]

@Skarlso The service account name will be of the regex format provider-aws-* where * is replaced with the release number. So for example provider-aws-11562 Since with every release the service account name will change, the Trust Relationship needs to use the StringLike condition as below:

"Condition": {
        "StringLike": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:provider-aws-*"
        }
      }

It does not look like crossplane helm chart has a way of overriding the service account name at the moment. What this means for us is that we have to use a script to create the role ( as mentioned in the doc) using aws tool but it would've been better if we could do it via the eksctl config file.
I understand from your previous comment that eksctl does not support this but it'd be good to have some override for the service account name and override StringLike instead of StringEquals. If that's not possible, thanks for looking into this :)

[Skarlso]

It's not NOT possible, but it's highly unlikely that we will allow that. 🤔 Because of the thing, I said, about how we discover resources. We expect them to be in a specific format so we can look them up later.

In any case, I'll put this issue into refinement and see what other team members think about it. Maybe I'm missing something. :)

[kmcarol26]

Thanks, appreciate you looking into it

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.