ServiceAccount

class aws_cdk.aws_eks.ServiceAccount(scope, id, *, cluster, annotations=None, labels=None, name=None, namespace=None)

Bases: Construct

Service Account.

ExampleMetadata:: infused

Example:

# or create a new one using an existing issuer url
# issuer_url: str
# you can import an existing provider
provider = eks.OpenIdConnectProvider.from_open_id_connect_provider_arn(self, "Provider", "arn:aws:iam::123456:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AB123456ABC")
provider2 = eks.OpenIdConnectProvider(self, "Provider",
    url=issuer_url
)

cluster = eks.Cluster.from_cluster_attributes(self, "MyCluster",
    cluster_name="Cluster",
    open_id_connect_provider=provider,
    kubectl_role_arn="arn:aws:iam::123456:role/service-role/k8sservicerole"
)

service_account = cluster.add_service_account("MyServiceAccount")

bucket = s3.Bucket(self, "Bucket")
bucket.grant_read_write(service_account)

Parameters:

scope (Construct) –
id (str) –
cluster (ICluster) – The cluster to apply the patch to.
annotations (Optional[Mapping[str, str]]) – Additional annotations of the service account. Default: - no additional annotations
labels (Optional[Mapping[str, str]]) – Additional labels of the service account. Default: - no additional labels
name (Optional[str]) – The name of the service account. The name of a ServiceAccount object must be a valid DNS subdomain name. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ Default: - If no name is given, it will use the id of the resource.
namespace (Optional[str]) – The namespace of the service account. All namespace names must be valid RFC 1123 DNS labels. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns Default: “default”

Methods

add_to_principal_policy(statement)

Add to the policy of this principal.

Parameters:

statement (PolicyStatement) –

Return type:

AddToPrincipalPolicyResult

to_string()

Returns a string representation of this construct.

Return type:: str

Attributes

assume_role_action: When this Principal is used in an AssumeRole policy, the action to use.

grant_principal: The principal to grant permissions to.

node: The tree node.

policy_fragment: Return the policy fragment that identifies this principal in a Policy.

role: The role which is linked to the service account.

service_account_name: The name of the service account.

service_account_namespace: The namespace where the service account is located in.

Static Methods

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:: x (Any) – Any object.
Return type:: bool
Returns:: true if x is an object created from a class which extends Construct.