{"id":38034503,"url":"https://github.com/redradrat/aws-iam-operator","last_synced_at":"2026-01-16T19:48:00.411Z","repository":{"id":43396440,"uuid":"248100211","full_name":"redradrat/aws-iam-operator","owner":"redradrat","description":"AWS IAM Operator for Kubernetes","archived":false,"fork":false,"pushed_at":"2024-01-07T14:08:24.000Z","size":267,"stargazers_count":33,"open_issues_count":13,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-05T17:42:30.494Z","etag":null,"topics":["aws","aws-iam","kubernetes","kubernetes-controller","kubernetes-operator"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redradrat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-18T00:15:09.000Z","updated_at":"2024-10-21T09:10:53.000Z","dependencies_parsed_at":"2022-07-08T21:00:37.945Z","dependency_job_id":"e05b57cf-3689-44d4-9118-952555084bf3","html_url":"https://github.com/redradrat/aws-iam-operator","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/redradrat/aws-iam-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redradrat%2Faws-iam-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redradrat%2Faws-iam-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redradrat%2Faws-iam-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redradrat%2Faws-iam-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redradrat","download_url":"https://codeload.github.com/redradrat/aws-iam-operator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redradrat%2Faws-iam-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28481962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-iam","kubernetes","kubernetes-controller","kubernetes-operator"],"created_at":"2026-01-16T19:48:00.347Z","updated_at":"2026-01-16T19:48:00.395Z","avatar_url":"https://github.com/redradrat.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS IAM Operator\n\nAn operator that enables AWS IAM management via Kubernetes custom resources.\n\n## Installation\n\n**CRD**\n\nThe CRDs can easily be applied to the cluster with kubectl:\n```shell script\nkubectl kustomize 'github.com/redradrat/aws-iam-operator/config/crd?ref=master' | kubectl apply -f -\n```\nor for a specific GITREF (e.g. branch, tag) with:\n```shell script\nkubectl kustomize 'github.com/redradrat/aws-iam-operator/config/crd?ref=GITREF' | kubectl apply -f -\n```\n\n**Controllers**\n\nThe controller deployment incl. RBAC \u0026 CRD can be applied to the cluster with kubectl:\n```shell script\nkubectl kustomize 'github.com/redradrat/aws-iam-operator/config/default?ref=master' | kubectl apply -f -\n```\n\n### Controller Manager Options\n\nThe controller manager has a couple of input options, which you can set as paramaters on container startup.\n\n```yaml\n...\n spec:\n containers:\n - command:\n - /manager\n args:\n - --enable-leader-election # For HA setup\n - --resource-prefix \"testcluster-\" # set a prefix to all created AWS resources (e.g. \"testcluster-\" -\u003e \"testcluster-user\")\n - --oidc-provider-arn # OPTIONAL: allows setting a oidc provider arn for auto-injecting trust for roles\n image: redradrat/aws-iam-operator:latest\n name: manager\n```\n\n## Custom Resources\n\n* [Role](#Role)\n* [AssumeRolePolicy](#AssumeRolePolicy)\n* [Policy](#Policy)\n* [PolicyAttachment](#PolicyAttachment)\n* [User](#User)\n* [Group](#Group)\n\n### Role\n\nThe Role resource abstracts an AWS IAM Role.\n\nSetting an `assumeRolePolicy` or an `assumeRolePolicyRef` is **mandatory**.\nCreating a `ServiceAccount` resource is possible via `createServiceAccount`. The created ServiceAccount includes the EKS OIDC support annotation.\nWhen `addIRSAPolicy` is true, the controller will automatically add the trust policy for the OIDC provider given as controller argument.\n\n```yaml\napiVersion: aws-iam.redradrat.xyz/v1beta1\nkind: Role\nmetadata:\n name: role-sample\n namespace: default\nspec:\n // Either\n assumeRolePolicyRef:\n name: assumerolepolicy-sample\n namespace: default\n // OR\n assumeRolePolicy:\n - effect: \"Allow\"\n principal:\n \"Federated\": \"blabla\"\n actions:\n - \"sts:AssumeRoleWithWebIdentity\"\n conditions:\n \"StringEquals\":\n \"blablabla\": \"system:serviceaccount:kube-system:aws-cluster-autoscaler\"\n createServiceAccount: true\n addIRSAPolicy: true\n maxSessionDuration: 3600\n // spec.awsRoleName takes precendence over metadata.name\n awsRoleName: the-role\n```\n\nResulting `ServiceAccount`:\n```yaml\n❯ k get sa role-sample -o yaml\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n annotations:\n eks.amazonaws.com/role-arn: arn:aws:iam::0000000000:role/role-sample\n creationTimestamp: \"2020-02-30T00:25:61Z\"\n name: role-sample\n namespace: default\n ownerReferences:\n - apiVersion: aws-iam.redradrat.xyz/v1beta1\n blockOwnerDeletion: true\n controller: true\n kind: Role\n name: role-sample\n uid: ...\n```\n\n### AssumeRolePolicy\n\nThe AssumeRolePolicy is an auxiliary resource for the `Role` resource. It provides a way to define a single trust policy for multiple roles.\n\n```yaml\napiVersion: aws-iam.redradrat.xyz/v1beta1\nkind: AssumeRolePolicy\nmetadata:\n name: assumerolepolicy-sample\nspec:\n statement:\n - sid: someid\n effect: \"Allow\"\n principal:\n \"Federated\": \"blabla\"\n actions:\n - \"xxxx:DescribeSomething\"\n resources:\n - \"*\"\n conditions:\n \"StringEquals\":\n \"aws:SourceIp\": \"172.0.0.1\"\n```\n\n### Policy\n\nThe Policy resource abstracts an AWS IAM Policy.\n\nFor `conditions`, please check https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html for valid Operators. For the comparison, only single String-type values are allowed as comparison values. For keys please check out https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html\n\n```yaml\napiVersion: aws-iam.redradrat.xyz/v1beta1\nkind: Policy\nmetadata:\n name: policy-sample\nspec:\n statement:\n - sid: someid\n effect: \"Allow\"\n actions:\n - \"xxxx:DescribeSomething\"\n resources:\n - \"*\"\n conditions:\n \"StringEquals\":\n \"aws:SourceIp\": \"172.0.0.1\"\n // spec.awsPolicyName takes precendence over metadata.name\n awsPolicyName: the-policy\n```\n\n### PolicyAttachment\n\nThe Policy resource abstracts the attachment of an AWS IAM Policy to another AWS IAM Resource e.g. Role (in future maybe User, Groups, etc.).\n\n```yaml\napiVersion: aws-iam.redradrat.xyz/v1beta1\nkind: PolicyAttachment\nmetadata:\n name: policyattachment-sample\nspec:\n policy:\n name: policy-sample\n namespace: default\n target:\n type: Role\n name: role-sample\n namespace: default\n```\n\n### User\n\nThe User resource abstracts an AWS IAM User.\n\nSetting `createLoginProfile` or an `createProgrammaticAccess` is **optional**.\nCreating a `Secret` resource, containing Console Login Data, is possible via `createLoginProfile`. The created secret includes the username and password.\nCreating a `Secret` resource, containing a Programmatic Access, is possible via `createProgrammaticAccess`. The created secret includes the both the Key ID and the Secret.\n\n```yaml\napiVersion: aws-iam.redradrat.xyz/v1beta1\nkind: User\nmetadata:\n name: user-sample\nspec:\n createLoginProfile: true\n createProgrammaticAccess: true\n```\n\nResulting `Secrets`:\n```yaml\n❯ k get secrets user-sample-login -o yaml\napiVersion: v1\ndata:\n password: ...\n username: ...\nkind: Secret\nmetadata:\n name: user-sample-login\n namespace: default\n ownerReferences:\n - apiVersion: aws-iam.redradrat.xyz/v1beta1\n blockOwnerDeletion: true\n controller: true\n kind: User\n name: user-sample\n uid: 784d4ff5-377e-4172-a1cf-1b34387a3d6b\ntype: Opaque\n```\n```yaml\n❯ k get secret user-sample-accesskey -o yaml\napiVersion: v1\ndata:\n id: ...\n secret: ...\nkind: Secret\nmetadata:\n name: user-sample-accesskey\n namespace: default\n ownerReferences:\n - apiVersion: aws-iam.redradrat.xyz/v1beta1\n blockOwnerDeletion: true\n controller: true\n kind: User\n name: user-sample\ntype: Opaque\n```\n\n\n### Group\n\nThe Group resource abstracts an AWS IAM Group.\n\nAdding IAM Users to the group, is possible via `users`. The referenced users need to be created via this operator.\n\n```yaml\napiVersion: aws-iam.redradrat.xyz/v1beta1\nkind: Group\nmetadata:\n name: group-sample\nspec:\n users:\n - name: user-sample\n namespace: default\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredradrat%2Faws-iam-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredradrat%2Faws-iam-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredradrat%2Faws-iam-operator/lists"}