eksctl-io · cPu1 · May 1, 2020 · Jan 24, 2020 · Apr 30, 2020 · May 1, 2020
diff --git a/pkg/apis/eksctl.io/v1alpha5/iam.go b/pkg/apis/eksctl.io/v1alpha5/iam.go
@@ -39,6 +39,8 @@ type ClusterIAMServiceAccount struct {
 	PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
 	// +optional
 	Status *ClusterIAMServiceAccountStatus `json:"status,omitempty"`
+	// +optional
+	Tags map[string]string `json:"tags,omitempty"`
 }
 
 // ClusterIAMServiceAccountStatus holds status of iamserviceaccount

diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go
diff --git a/pkg/cfn/manager/iam.go b/pkg/cfn/manager/iam.go
@@ -26,9 +26,12 @@ func (c *StackCollection) createIAMServiceAccountTask(errs chan error, spec *api
 		return err
 	}
 
-	tags := map[string]string{api.IAMServiceAccountNameTag: spec.NameString()}
+	if spec.Tags == nil {
+		spec.Tags = make(map[string]string)
+	}
+	spec.Tags[api.IAMServiceAccountNameTag] = spec.NameString()
 
-	return c.CreateStack(name, stack, tags, nil, errs)
+	return c.CreateStack(name, stack, spec.Tags, nil, errs)
 }
 
 // DescribeIAMServiceAccountStacks calls DescribeStacks and filters out iamserviceaccounts

diff --git a/pkg/ctl/create/iamserviceaccount.go b/pkg/ctl/create/iamserviceaccount.go
@@ -45,6 +45,8 @@ func createIAMServiceAccountCmdWithRunFunc(cmd *cmdutils.Cmd, runFunc func(cmd *
 		fs.StringVar(&serviceAccount.Namespace, "namespace", "default", "namespace where to create the iamserviceaccount")
 		fs.StringSliceVar(&serviceAccount.AttachPolicyARNs, "attach-policy-arn", []string{}, "ARN of the policy where to create the iamserviceaccount")
 
+		fs.StringToStringVarP(&serviceAccount.Tags, "tags", "", map[string]string{}, `A list of KV pairs used to tag the IAM role (e.g. "Owner=John Doe,Team=Some Team")`)
+
 		fs.BoolVar(&overrideExistingServiceAccounts, "override-existing-serviceaccounts", false, "create IAM roles for existing serviceaccounts and update the serviceaccount")
 
 		cmdutils.AddIAMServiceAccountFilterFlags(fs, &cmd.Include, &cmd.Exclude)

diff --git a/userdocs/src/usage/iamserviceaccounts.md b/userdocs/src/usage/iamserviceaccounts.md
@@ -57,6 +57,12 @@ eksctl create iamserviceaccount --cluster=<clusterName> --name=s3-read-only --na
 
 If you have service account already created in the cluster (without an IAM Role), you will need to use `--override-existing-serviceaccounts` flag.
 
+Custom tagging may also be applied to the IAM Role by specifying `--tags`:
+
+```console
+eksctl create iamserviceaccount --cluster=<clusterName> --name=<serviceAccountName> --tags "Owner=John Doe,Team=Some Team"
+```
+
 Currently, to update a role you will need to re-create, run `eksctl delete iamserviceaccount` followed by `eksctl create iamserviceaccount` to achieve that.
 
 ### Usage with config files
@@ -90,6 +96,9 @@ iam:
       labels: {aws-usage: "application"}
     attachPolicyARNs:
     - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+    tags:
+      Owner: "John Doe"
+      Team: "Some Team"
   - metadata:
       name: cache-access
       namespace: backend-apps

diff --git a/userdocs/src/usage/schema.md b/userdocs/src/usage/schema.md
@@ -111,6 +111,11 @@ ClusterIAMServiceAccount:
     status:
       $ref: '#/definitions/ClusterIAMServiceAccountStatus'
       $schema: http://json-schema.org/draft-04/schema#
+    tags:
+      patternProperties:
+        .*:
+          type: string
+      type: object
   type: object
 ClusterIAMServiceAccountStatus:
   additionalProperties: false