AWS Identity Matcher
AwsIdentityMatcher specifies matching workloads with AWS
-specific
identities.
For example, the following configuration will match any EC2 VM instance in
account 123456789012
, region ca-central-1
and zone ca-central-1b
:
partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ec2: \{\}
The matcher can also be used to to limit to VMs associated with a specific IAM role as shown below:
partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ec2:
iamRoleNames:
- example-role
The following matcher will limit to ECS instances in the bookinfo
cluster
and with a specific IAM role:
partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ecs:
clusters:
- prod-cluster
iamRoleNames:
- example-role
AwsIdentityMatcher
AwsIdentityMatcher specifies matching workloads with AWS
-specific identities.
Field | Description | Validation Rule |
---|---|---|
partitions | List of string E.g., Empty list means match any partition. See https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html | repeated = { |
accounts | List of string E.g., Cannot be empty. See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html | repeated = { |
regions | List of string E.g., Empty list means match any region. See https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints | repeated = { |
zones | List of string E.g., Empty list means match any availability zone. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html | repeated = { |
ec2 | tetrateio.api.onboarding.authorization.aws.v1alpha1.Ec2InstanceMatcher oneof _kind If present but empty, it matches any |