csantanapr/pod-s3-instance.yaml

## pod-s3-instance.yaml
apiVersion: example.com/v1alpha1
kind: PodIdentityS3
metadata:
  name: s3-test
  namespace: default
spec:
  appName: s3-test
  clusterName: saas-data-plane

## pod-s3-rgd.yaml
apiVersion: kro.run/v1alpha1
kind: ResourceGraphDefinition
metadata:
  name: pod-identity-s3
spec:
  schema:
    apiVersion: v1alpha1
    kind: PodIdentityS3
    group: example.com
    spec:
      appName: string
      namespace: "string | default=default"
      clusterName: "string | default=my-eks-cluster"

  resources:
  - id: s3Bucket
    readyWhen:
    - ${s3Bucket.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")}
    template:
      apiVersion: s3.services.k8s.aws/v1alpha1
      kind: Bucket
      metadata:
        name: ${schema.spec.appName}
        namespace: ${schema.spec.namespace}
      spec:
        name: ${schema.spec.appName}-${random.seededString(6, schema.metadata.uid)}

  - id: iamRole
    readyWhen:
    - ${iamRole.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")}
    template:
      apiVersion: iam.services.k8s.aws/v1alpha1
      kind: Role
      metadata:
        name: ${schema.spec.appName}-role
        namespace: ${schema.spec.namespace}
      spec:
        name: ${schema.spec.appName}-role
        assumeRolePolicyDocument: |
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
                "Effect": "Allow",
                "Principal": {
                  "Service": "pods.eks.amazonaws.com"
                },
                "Action": [
                  "sts:AssumeRole",
                  "sts:TagSession"
                ]
              }
            ]
          }
        inlinePolicies:
          s3-access: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:DeleteObject",
                    "s3:ListBucket"
                  ],
                  "Resource": [
                    "arn:aws:s3:::${s3Bucket.spec.name}",
                    "arn:aws:s3:::${s3Bucket.spec.name}/*"
                  ]
                }
              ]
            }

  - id: serviceAccount
    template:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: ${schema.spec.appName}-sa
        namespace: ${schema.spec.namespace}

  - id: podIdentityAssociation
    readyWhen:
    - ${podIdentityAssociation.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")}
    template:
      apiVersion: eks.services.k8s.aws/v1alpha1
      kind: PodIdentityAssociation
      metadata:
        name: ${schema.spec.appName}-pia
        namespace: ${schema.spec.namespace}
      spec:
        clusterName: ${schema.spec.clusterName}
        namespace: ${schema.spec.namespace}
        serviceAccount: ${serviceAccount.metadata.name}
        roleRef:
          from:
            name: ${iamRole.metadata.name}

  - id: job
    template:
      apiVersion: batch/v1
      kind: Job
      metadata:
        name: ${schema.spec.appName}
        namespace: ${schema.spec.namespace}
      spec:
        backoffLimit: 0
        template:
          metadata:
            labels:
              app: ${schema.spec.appName}
              pod-identity: enabled
          spec:
            restartPolicy: Never
            serviceAccountName: ${podIdentityAssociation.spec.serviceAccount}
            containers:
            - name: s3-test
              image: amazon/aws-cli:latest
              command:
              - /bin/bash
              - -c
              - |
                set -e
                echo "=== Writing test file to s3://$BUCKET/test.txt ==="
                echo "Hello from KRO Pod Identity S3 test!" | aws s3 cp - "s3://$BUCKET/test.txt"
                echo "=== Reading test file back ==="
                aws s3 cp "s3://$BUCKET/test.txt" /tmp/test.txt
                echo "=== Cat file content ==="
                cat /tmp/test.txt
                echo "=== Deleting test file from bucket ==="
                aws s3 rm "s3://$BUCKET/test.txt"
                echo "=== S3 Pod Identity test completed successfully! ==="
              env:
              - name: BUCKET
                value: ${s3Bucket.spec.name}
              - name: AWS_STS_REGIONAL_ENDPOINTS
                value: regional
              - name: AWS_REGION
                value: ${podIdentityAssociation.status.ackResourceMetadata.region}
              - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
                value: http://169.254.170.23/v1/credentials
              - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
                value: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
              volumeMounts:
              - mountPath: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount
                name: eks-pod-identity-token
                readOnly: true
            volumes:
            - name: eks-pod-identity-token
              projected:
                defaultMode: 420
                sources:
                - serviceAccountToken:
                    audience: pods.eks.amazonaws.com
                    expirationSeconds: 80742
                    path: eks-pod-identity-token
	apiVersion: example.com/v1alpha1
	kind: PodIdentityS3
	metadata:
	name: s3-test
	namespace: default
	spec:
	appName: s3-test
	clusterName: saas-data-plane
	apiVersion: kro.run/v1alpha1
	kind: ResourceGraphDefinition
	metadata:
	name: pod-identity-s3
	spec:
	schema:
	apiVersion: v1alpha1
	kind: PodIdentityS3
	group: example.com
	spec:
	appName: string
	namespace: "string \| default=default"
	clusterName: "string \| default=my-eks-cluster"

	resources:
	- id: s3Bucket
	readyWhen:
	- ${s3Bucket.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")}
	template:
	apiVersion: s3.services.k8s.aws/v1alpha1
	kind: Bucket
	metadata:
	name: ${schema.spec.appName}
	namespace: ${schema.spec.namespace}
	spec:
	name: ${schema.spec.appName}-${random.seededString(6, schema.metadata.uid)}

	- id: iamRole
	readyWhen:
	- ${iamRole.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")}
	template:
	apiVersion: iam.services.k8s.aws/v1alpha1
	kind: Role
	metadata:
	name: ${schema.spec.appName}-role
	namespace: ${schema.spec.namespace}
	spec:
	name: ${schema.spec.appName}-role
	assumeRolePolicyDocument: \|
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
	"Effect": "Allow",
	"Principal": {
	"Service": "pods.eks.amazonaws.com"
	},
	"Action": [
	"sts:AssumeRole",
	"sts:TagSession"
	]
	}
	]
	}
	inlinePolicies:
	s3-access: \|
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"s3:PutObject",
	"s3:GetObject",
	"s3:DeleteObject",
	"s3:ListBucket"
	],
	"Resource": [
	"arn:aws:s3:::${s3Bucket.spec.name}",
	"arn:aws:s3:::${s3Bucket.spec.name}/*"
	]
	}
	]
	}

	- id: serviceAccount
	template:
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ${schema.spec.appName}-sa
	namespace: ${schema.spec.namespace}

	- id: podIdentityAssociation
	readyWhen:
	- ${podIdentityAssociation.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")}
	template:
	apiVersion: eks.services.k8s.aws/v1alpha1
	kind: PodIdentityAssociation
	metadata:
	name: ${schema.spec.appName}-pia
	namespace: ${schema.spec.namespace}
	spec:
	clusterName: ${schema.spec.clusterName}
	namespace: ${schema.spec.namespace}
	serviceAccount: ${serviceAccount.metadata.name}
	roleRef:
	from:
	name: ${iamRole.metadata.name}

	- id: job
	template:
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: ${schema.spec.appName}
	namespace: ${schema.spec.namespace}
	spec:
	backoffLimit: 0
	template:
	metadata:
	labels:
	app: ${schema.spec.appName}
	pod-identity: enabled
	spec:
	restartPolicy: Never
	serviceAccountName: ${podIdentityAssociation.spec.serviceAccount}
	containers:
	- name: s3-test
	image: amazon/aws-cli:latest
	command:
	- /bin/bash
	- -c
	- \|
	set -e
	echo "=== Writing test file to s3://$BUCKET/test.txt ==="
	echo "Hello from KRO Pod Identity S3 test!" \| aws s3 cp - "s3://$BUCKET/test.txt"
	echo "=== Reading test file back ==="
	aws s3 cp "s3://$BUCKET/test.txt" /tmp/test.txt
	echo "=== Cat file content ==="
	cat /tmp/test.txt
	echo "=== Deleting test file from bucket ==="
	aws s3 rm "s3://$BUCKET/test.txt"
	echo "=== S3 Pod Identity test completed successfully! ==="
	env:
	- name: BUCKET
	value: ${s3Bucket.spec.name}
	- name: AWS_STS_REGIONAL_ENDPOINTS
	value: regional
	- name: AWS_REGION
	value: ${podIdentityAssociation.status.ackResourceMetadata.region}
	- name: AWS_CONTAINER_CREDENTIALS_FULL_URI
	value: http://169.254.170.23/v1/credentials
	- name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
	value: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
	volumeMounts:
	- mountPath: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount
	name: eks-pod-identity-token
	readOnly: true
	volumes:
	- name: eks-pod-identity-token
	projected:
	defaultMode: 420
	sources:
	- serviceAccountToken:
	audience: pods.eks.amazonaws.com
	expirationSeconds: 80742
	path: eks-pod-identity-token