Skip to content

Commit

Permalink
fix service account namespace in oidc trust policy injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@redradrat
redradrat committed Oct 23, 2022
1 parent b56ff2b commit d9a97b1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion controllers/role_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ func getPolicyDoc(role *iamv1beta1.Role, oidcProviderARN string, c client.Client
resourceWithoutType := strings.SplitAfterN(arn.Resource, "/", 2)[1]
conditions := make(map[iamv1beta1.PolicyStatementConditionKey]string)
conditions[iamv1beta1.PolicyStatementConditionKey(fmt.Sprintf("%s:aud", resourceWithoutType))] = "sts.amazonaws.com"
conditions[iamv1beta1.PolicyStatementConditionKey(fmt.Sprintf("%s:sub", resourceWithoutType))] = fmt.Sprintf("system:serviceaccount:aws:%s", role.Name)
conditions[iamv1beta1.PolicyStatementConditionKey(fmt.Sprintf("%s:sub", resourceWithoutType))] = fmt.Sprintf("system:serviceaccount:%s:%s", role.Namespace, role.Name)

statement = append(statement, iamv1beta1.AssumeRolePolicyStatementEntry{
PolicyStatementEntry: iamv1beta1.PolicyStatementEntry{
Expand Down

0 comments on commit d9a97b1

Please sign in to comment.