Combining IRSA policies to get around the 15 policy limit
This article explains how you can work around the 15 policy limit on AWS "IAM roles for Service Accounts" (IRSA),
For more information on AWS "IAM roles for Service Accounts" (IRSA), please see IAM roles for Kubernetes Service Accounts:
If you need to grant your IRSA access to more than 15 different resources, you can achieve this by combining policies.
As an alternative, you can also consider creating another IRSA to add the new permissions to. This is suitable if you have a number of different applications in your namespace which do not all need the same permissions.
Please note that this change will result in your application losing permissions for a short period. It appears that the policies are first removed and then applied.
Before:
Here is an example of an IRSA with some policies which can be combined. We will combine the SQS policies. They are suitable for combination as they are all based on the default policy in the SQS template, and so they have the same permissions.
After:
1.Create a combined policy and policy document
Cloud Platform provided modules provide an output called irsa_policy_arn. You can find the template for the module at the top of your module definition. In this case, it will look like this:
source = "github.com/ministryofjustice/cloud-platform-terraform-sqs?ref=5.0.0"
The template contains an IAM policy document in main.tf which shows the actions which need to be granted. You need to duplicate these actions in the policy document below
2.Replace the existing policies in your IRSA with the new combined policy
Was this page useful?