class ServiceAccount (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Eks.V2.Alpha.ServiceAccount |
 Go | github.com/aws/aws-cdk-go/awscdkeksv2alpha/v2#ServiceAccount |
 Java | software.amazon.awscdk.services.eks.v2.alpha.ServiceAccount |
 Python | aws_cdk.aws_eks_v2_alpha.ServiceAccount |
 TypeScript (source) | @aws-cdk/aws-eks-v2-alpha ยป ServiceAccount |
Implements
IConstruct, IDependable, IPrincipal, IGrantable
Service Account.
Example
import * as s3 from 'aws-cdk-lib/aws-s3';
// you can import an existing provider
const provider = eks.OidcProviderNative.fromOidcProviderArn(this, 'Provider', 'arn:aws:iam::123456:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AB123456ABC');
// or create a new one using an existing issuer url
declare const issuerUrl: string;
const provider2 = new eks.OidcProviderNative(this, 'Provider', {
url: issuerUrl,
});
import { KubectlV34Layer } from '@aws-cdk/lambda-layer-kubectl-v34';
const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', {
clusterName: 'Cluster',
openIdConnectProvider: provider,
kubectlProviderOptions: {
kubectlLayer: new KubectlV34Layer(this, 'kubectl'),
}});
const serviceAccount = cluster.addServiceAccount('MyServiceAccount');
const bucket = new s3.Bucket(this, 'Bucket');
bucket.grantReadWrite(serviceAccount);
Initializer
new ServiceAccount(scope: Construct, id: string, props: ServiceAccountProps)
Parameters
- scope
Construct - id
string - props
ServiceAccount Props
Construct Props
| Name | Type | Description |
|---|---|---|
| cluster | ICluster | The cluster to apply the patch to. |
| annotations? | { [string]: string } | Additional annotations of the service account. |
| identity | Identity | The identity type to use for the service account. |
| labels? | { [string]: string } | Additional labels of the service account. |
| name? | string | The name of the service account. |
| namespace? | string | The namespace of the service account. |
| overwrite | boolean | Overwrite existing service account. |
| removal | Removal | The removal policy applied to the service account resources. |
cluster
Type:
ICluster
The cluster to apply the patch to.
annotations?
Type:
{ [string]: string }
(optional, default: no additional annotations)
Additional annotations of the service account.
identityType?
Type:
Identity
(optional, default: IdentityType.IRSA)
The identity type to use for the service account.
labels?
Type:
{ [string]: string }
(optional, default: no additional labels)
Additional labels of the service account.
name?
Type:
string
(optional, default: If no name is given, it will use the id of the resource.)
The name of the service account.
The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
namespace?
Type:
string
(optional, default: "default")
The namespace of the service account.
All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns
overwriteServiceAccount?
Type:
boolean
(optional, default: false)
Overwrite existing service account.
If this is set, we will use kubectl apply instead of kubectl create
when the service account is created. Otherwise, if there is already a service account
in the cluster with the same name, the operation will fail.
removalPolicy?
Type:
Removal
(optional, default: RemovalPolicy.DESTROY)
The removal policy applied to the service account resources.
The removal policy controls what happens to the resources if they stop being managed by CloudFormation. This can happen in one of three situations:
- The resource is removed from the template, so CloudFormation stops managing it
- A change to the resource is made that requires it to be replaced, so CloudFormation stops managing it
- The stack is deleted, so CloudFormation stops managing all resources in it
Properties
| Name | Type | Description |
|---|---|---|
| assume | string | When this Principal is used in an AssumeRole policy, the action to use. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| policy | Principal | Return the policy fragment that identifies this principal in a Policy. |
| role | IRole | The role which is linked to the service account. |
| service | string | The name of the service account. |
| service | string | The namespace where the service account is located in. |
assumeRoleAction
Type:
string
When this Principal is used in an AssumeRole policy, the action to use.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
policyFragment
Type:
Principal
Return the policy fragment that identifies this principal in a Policy.
role
Type:
IRole
The role which is linked to the service account.
serviceAccountName
Type:
string
The name of the service account.
serviceAccountNamespace
Type:
string
The namespace where the service account is located in.
Methods
| Name | Description |
|---|---|
| add | Add to the policy of this principal. |
| add | Add to the policy of this principal. |
| to | Returns a string representation of this construct. |
addToPolicy(statement)
public addToPolicy(statement: PolicyStatement): boolean
โ ๏ธ Deprecated: use addToPrincipalPolicy()
Parameters
- statement
PolicyStatement
Returns
boolean
Add to the policy of this principal.
addToPrincipalPolicy(statement)
public addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult
Parameters
- statement
PolicyStatement
Returns
Add to the policy of this principal.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.