# Enter your profile, region, and cluster name
export profile="default"
export region=""
export cluster_name=""
# (Do not edit) Declares some variables
export bucket_name=$cluster_name-kubecost
export account_id=$(aws sts get-caller-identity --query "Account" --output text --profile $profile)
export oidc_provider=$(aws eks describe-cluster --name $cluster_name --region $region --query "cluster.identity.oidc.issuer" --output text --profile $profile | sed -e "s/^https:\/\///")
export role_arn_name=$cluster_name-kubecost-role-arn
export namespace=kubecost
export service_account=kubecost-cost-analyzer
# Create s3 bucket to store spot data feed
aws s3api create-bucket \
--bucket $bucket_name \
--region $region \
--object-ownership ObjectWriter \
--profile $profile
# Subscribe to spot data feed
aws ec2 create-spot-datafeed-subscription \
--bucket $bucket_name \
--region $region \
--profile $profile
# Create IAM policy to access the s3 bucket
## Create policy.json
cat >policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SpotDataFeed",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::$bucket_name*"
}
]
}
EOF
## Create policy
aws iam create-policy \
--policy-name SpotDataFeed \
--policy-document file://policy.json \
--profile $profile
# Create IAM role to assume the role as service account
## Create trust-relationship.json
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"$oidc_provider:aud": "sts.amazonaws.com",
"$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
}
}
}
]
}
EOF
## Create role
aws iam create-role \
--role-name $role_arn_name \
--assume-role-policy-document file://trust-relationship.json \
--profile $profile
## Attach policy to role
aws iam attach-role-policy \
--role-name $role_arn_name \
--policy-arn=arn:aws:iam::$account_id:policy/SpotDataFeed \
--profile $profile
# Print the role ARN
echo "Role ARN: arn:aws:iam::$account_id:role/$role_arn_name"