How to Use AWS IAM Role on AWS EKS PODs
A native-AWS way to attach an IAM role into the Kubernetes POD, without third-party software, reducing latency and improving your EKS security.
Join the DZone community and get the full member experience.Join For Free
How It Works
It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).
There are quite a few benefits of using IRSA with Kubernetes PODs.
- Granular restriction (per cluster, per namespace, etc.).
It’s also possible to not use it.
- More flexible than the other tools.
- One less point of failure (maybe a few less).
- Lesser resource consumption.
- More pods per node.
- Latency may reduce by ~50ms.
Especially for the first request.
- Prevent issues with caching the credentials.
This software takes a few minutes to update its cache.
- Better auditing.
Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails.
- Easier to set up.
- AWS provides full support.
There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.
- An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL.
- AWS EKS cluster 1.13 or above.
- A trust relationship between your IAM Role and the OpenID Provider.
There is no extra cost.
How to Setup
I didn’t add
terraform as pre-requirements, since you can do it via AWS Console too.
terraform, will set up the exact same thing (except for the IAM Policy that isn't created via
eksctl). These tools will do:
- Create an AWS OpenID Connect provider.
- Link the OIDC provider to the EKS OIDC URL.
- Create an IAM Role.
- Create an IAM Policy (only via terraform).
- Attach the IAM Policy to the IAM Role.
- Set up the Trust Relationship between the IAM Role and the OpenID Connect provider.
- Create a Kubernetes ServiceAccount.
Setting up With eksctl
Using eksctl may be easy for the first time, but it can be trick/hard to automate.
You can follow these scripts/steps:
01-verify_oidc.sh - here we'll just get the EKS OIDC endpoint and check if there is an OpenID Providers created. There is no change in this step.
You can check the 04-cleaning.sh in case you want to clean up; just be careful with it.
Setting With Terraform
I created a GitHub repository: LozanoMatheus/eks-oidc. It’s straightforward to adapt to the real scenario.
The main.tf: Here we'll define the TF code to create an OpenID Connect, an IAM Policy, an IAM Role, and a Kubernetes Service Account (plus attach the IAM role to the K8s Service Account):
The providers.tf: This code is to configure the TF providers:
The data.tf: This will get the state of your EKS cluster (in case you create it in another TF), get the EKS Cluster ID, and configure the IAM Policy (to allow you to use this policy inside of the EKS Cluster):
The vars.tf: This is the TF file that contains the variables used by the TF. It will define the AWS Region (
eu-west-1), set the Kubernetes namespace that the IAM Policy can be used, the IAM Role name, and the IAM Policy name.
The policies/s3_policy.json: This is the policy that will allow the interaction between the K8s POD and AWS APIs. In this case, I'm allowing the POD to get objects from a specific S3 bucket in a specific path:
The policies/role_trust_relationship.json.tmpl: This is a template file and it will allow the POD to use the IAM role:
Now you can create all the resources:
Published at DZone with permission of Matheus Lozano. See the original article here.
Opinions expressed by DZone contributors are their own.