feat: Add opt-in aws:SourceAccount condition to Karpenter node IAM role trust policy (#3695)

alien2003 · bryantbiggs · web-flow · commit 0515ad6d5188 · 2026-05-06T16:48:34.000-05:00
feat: Add opt-in aws:SourceAccount condition on Karpenter node IAM role trust policy Closes #3688 Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
@@ -168,6 +168,7 @@ No modules.
 | <a name="input_node_iam_role_name"></a> [node\_iam\_role\_name](#input\_node\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
 | <a name="input_node_iam_role_path"></a> [node\_iam\_role\_path](#input\_node\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_node_iam_role_permissions_boundary"></a> [node\_iam\_role\_permissions\_boundary](#input\_node\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_node_iam_role_source_account_condition"></a> [node\_iam\_role\_source\_account\_condition](#input\_node\_iam\_role\_source\_account\_condition) | Whether to add an `aws:SourceAccount` condition to the node IAM role's trust policy, scoped to the current account | `bool` | `false` | no |
 | <a name="input_node_iam_role_tags"></a> [node\_iam\_role\_tags](#input\_node\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_node_iam_role_use_name_prefix"></a> [node\_iam\_role\_use\_name\_prefix](#input\_node\_iam\_role\_use\_name\_prefix) | Determines whether the Node IAM role name (`node_iam_role_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_queue_kms_data_key_reuse_period_seconds"></a> [queue\_kms\_data\_key\_reuse\_period\_seconds](#input\_queue\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again | `number` | `null` | no |
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
@@ -340,6 +340,16 @@ data "aws_iam_policy_document" "node_assume_role" {
       type        = "Service"
       identifiers = [local.ec2_sp_name]
     }
+
+    dynamic "condition" {
+      for_each = var.node_iam_role_source_account_condition ? [1] : []
+
+      content {
+        test     = "StringEquals"
+        variable = "aws:SourceAccount"
+        values   = [local.account_id]
+      }
+    }
   }
 }
 
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
@@ -306,6 +306,12 @@ variable "node_iam_role_additional_policies" {
   default     = {}
 }
 
+variable "node_iam_role_source_account_condition" {
+  description = "Whether to add an `aws:SourceAccount` condition to the node IAM role's trust policy, scoped to the current account"
+  type        = bool
+  default     = false
+}
+
 variable "node_iam_role_tags" {
   description = "A map of additional tags to add to the IAM role created"
   type        = map(string)

Original file line number	Diff line number	Diff line change
`@@ -340,6 +340,16 @@ data "aws_iam_policy_document" "node_assume_role" {`
`340`	`340`	`type = "Service"`
`341`	`341`	`identifiers = [local.ec2_sp_name]`
`342`	`342`	`}`
	`343`	`+`
	`344`	`+ dynamic "condition" {`
	`345`	`+ for_each = var.node_iam_role_source_account_condition ? [1] : []`
	`346`	`+`
	`347`	`+ content {`
	`348`	`+ test = "StringEquals"`
	`349`	`+ variable = "aws:SourceAccount"`
	`350`	`+ values = [local.account_id]`
	`351`	`+ }`
	`352`	`+ }`
`343`	`353`	`}`
`344`	`354`	`}`
`345`	`355`