This message was deleted.

I use Terraform for this. I would make a data structure that captures the account => permissions relationship like:

accounts = {
  account1 = {
    name = "account1"
    roles = [
      <map to rbac roles on the cluster>
    ]
  }
  account2...
  account3...
}

Then create two modules. The first one, you loop through to create IAM stuff in AWS, the second creates manifests to apply to k8s (you can use Helm here as well if you want, TF plays well with that too). Then anytime you add a new account you just modify the original data structure and run the TF code and everything gets provisioned.

We use AWS CDK to provision IAM role and other Infra resource.

Another thing to look into (especially with a multi-tenant environment) is to use virtual clusters. Then you don't have to worry about getting RBAC right nearly as much, and using something that enforces network policies to deny cross namespace talk, etc... all that will just be done by default.

Checkout https://codefresh.io/blog/a-comprehensive-overview-of-argo-cd-architectures-2023 for multi-clusters & argocd architecture You could use Crossplane to generate clusters (https://github.com/crossplane-contrib/provider-aws) to go all-in on Gitops, or do a mix of TF & Argo, up to you :) Note that fluxcd has a terraform controller (link) +1 for vcluster if it matches your use-case, the product is really great 👍

Hey @Malik Draz, Unfortunately I can’t provide too much technical details, but I can share that I know the founders of Argo and Crossplane have been working on some pretty neat integration and use cases, from working with the largest Financial institutions worldwide, to the largest beverage retailers, also worldwide. So, there’s some preety cool use cases we can discuss. Feel free to reach out to Hong Wang, or Nicholas Morey from Akuity for further details 🙂 There should be a white paper coming soon, but for now, a technical conversation could be useful. Best of luck!