feat: Add opt-in aws:SourceAccount condition to Karpenter node IAM …

…role trust policy (#3695) feat: Add opt-in aws:SourceAccount condition on Karpenter node IAM role trust policy Closes #3688 Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
SCT-Engineering · May 6, 2026 · 0515ad6 · 0515ad6
1 parent 76f5a89
commit 0515ad6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
@@ -168,6 +168,7 @@ No modules.
 | <a name="input_node_iam_role_name"></a> [node\_iam\_role\_name](#input\_node\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
 | <a name="input_node_iam_role_path"></a> [node\_iam\_role\_path](#input\_node\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_node_iam_role_permissions_boundary"></a> [node\_iam\_role\_permissions\_boundary](#input\_node\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_node_iam_role_source_account_condition"></a> [node\_iam\_role\_source\_account\_condition](#input\_node\_iam\_role\_source\_account\_condition) | Whether to add an `aws:SourceAccount` condition to the node IAM role's trust policy, scoped to the current account | `bool` | `false` | no |
 | <a name="input_node_iam_role_tags"></a> [node\_iam\_role\_tags](#input\_node\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_node_iam_role_use_name_prefix"></a> [node\_iam\_role\_use\_name\_prefix](#input\_node\_iam\_role\_use\_name\_prefix) | Determines whether the Node IAM role name (`node_iam_role_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_queue_kms_data_key_reuse_period_seconds"></a> [queue\_kms\_data\_key\_reuse\_period\_seconds](#input\_queue\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again | `number` | `null` | no |

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
@@ -340,6 +340,16 @@ data "aws_iam_policy_document" "node_assume_role" {
       type        = "Service"
       identifiers = [local.ec2_sp_name]
     }
+
+    dynamic "condition" {
+      for_each = var.node_iam_role_source_account_condition ? [1] : []
+
+      content {
+        test     = "StringEquals"
+        variable = "aws:SourceAccount"
+        values   = [local.account_id]
+      }
+    }
   }
 }
 

diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
@@ -306,6 +306,12 @@ variable "node_iam_role_additional_policies" {
   default     = {}
 }
 
+variable "node_iam_role_source_account_condition" {
+  description = "Whether to add an `aws:SourceAccount` condition to the node IAM role's trust policy, scoped to the current account"
+  type        = bool
+  default     = false
+}
+
 variable "node_iam_role_tags" {
   description = "A map of additional tags to add to the IAM role created"
   type        = map(string)