AWS settings

We’d like to validate Approach B (AssumeRole + ExternalId) and make sure the AWS details we plan to share are sufficient for you to complete your end-to-end checks. Please confirm the following set is enough:

We will provide

1. Role ARNs
   • VendorRepoPusher (ECR push/pull)
   • VendorEKSDeployer (EKS DescribeCluster)
     Both roles will trust your account via ExternalId.
2. ExternalId (shared secret for AssumeRole).
3. AWS Account ID (customer account) and Region: ap-northeast-1.
4. ECR repository URIs for:
   • portal-api
   • cron-runner
5. EKS cluster name (e.g., portal-dev).

Optional / later (not required for the initial role validation):

• aws-auth mapping for kubectl access (we’ll map the VendorEKSDeployer role to a K8s group like vendor:portal:deployer and bind it in the portal namespace).
• RDS endpoint/credentials or a Secrets Manager ARN (only needed when you run the app end-to-end).
• Domain name and ACM certificate ARN (only if you need ALB + TLS for testing).

What you should be able to do with the above

• Assume both roles with the provided ExternalId:
  • sts:AssumeRole → obtain temporary credentials.
• ECR: authenticate and push/pull images to the provided repos.
• EKS: run eks:DescribeCluster on the specified cluster (kubectl access will come after the aws-auth mapping step).

Quick validation commands (for your reference)

• STS assume: aws sts assume-role \ --role-arn <VendorRepoPusher ARN> \ --role-session-name vendor-ecr \ --external-id <ExternalId>
• ECR login/push: aws ecr get-login-password --region ap-northeast-1 \ | docker login --username AWS --password-stdin <ACCOUNT_ID>.dkr.ecr.ap-northeast-1.amazonaws.com docker push <ACCOUNT_ID>.dkr.ecr.ap-northeast-1.amazonaws.com/portal-api:<tag>
• EKS describe: aws eks describe-cluster --name <EKS_CLUSTER_NAME> --region ap-northeast-1

Please confirm

• Is the above information sufficient for you to validate AssumeRole + ECR push/pull + EKS Describe?
• Do you need anything else (e.g., a longer session duration for the roles, specific repository names beyond portal-*, VPC endpoints/allowlists, or any other detail)?

We’ll share the Role ARNs and ExternalId via a secure channel.
Thanks!