How to Use AWS IAM Role on AWS EKS PODs

How It Works

It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).

Attach IAM Role to the Kubernetes POD
Using an IAM Role in a Kubernetes POD

Benefits

There are quite a few benefits of using IRSA with Kubernetes PODs.

  • Granular restriction (per cluster, per namespace, etc.).
    It’s also possible to not use it.
  • More flexible than the other tools.
  • One less point of failure (maybe a few less).
  • Lesser resource consumption.
  • More pods per node.
  • Latency may reduce by ~50ms.
    Especially for the first request.
  • Prevent issues with caching the credentials.
    This software takes a few minutes to update its cache.
  • Better auditing.
    Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails.
  • Easier to set up.
  • AWS provides full support.

Pre-requirements

There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.

  • An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL.
  • AWS EKS cluster 1.13 or above.
  • A trust relationship between your IAM Role and the OpenID Provider.

Costs

There is no extra cost.


How to Setup

There a few ways to set up, I’ll share how to do it via eksctl and terraform.

I didn’t add eksctl and terraform as pre-requirements, since you can do it via AWS Console too.

Both tools eksctl or terraform, will set up the exact same thing (except for the IAM Policy that isn’t created via eksctl). These tools will do:

  • Create an AWS OpenID Connect provider.
  • Link the OIDC provider to the EKS OIDC URL.
  • Create an IAM Role.
  • Create an IAM Policy (only via terraform).
  • Attach the IAM Policy to the IAM Role.
  • Set up the Trust Relationship between the IAM Role and the OpenID Connect provider.
  • Create a Kubernetes ServiceAccount.

Setting up With eksctl

Using eksctl may be easy for the first time, but it can be trick/hard to automate.

You can follow these scripts/steps:

01-verify_oidc.sh – here we’ll just get the EKS OIDC endpoint and check if there is an OpenID Providers created. There is no change in this step.

02-setting_up.sh – On this step, we’ll create an OpenID provider (in case you need it) and then create a Kubernetes Service Account in your EKS Cluster.

03-deploy_pod.sh – Last but not least, here is an example of using the IAM Role in a POD by attaching a Service Account.

You can check the 04-cleaning.sh in case you want to clean up; just be careful with it.

Setting With Terraform

I created a GitHub repository: LozanoMatheus/eks-oidc. It’s straightforward to adapt to the real scenario.

The main.tf: Here we’ll define the TF code to create an OpenID Connect, an IAM Policy, an IAM Role, and a Kubernetes Service Account (plus attach the IAM role to the K8s Service Account):

The providers.tf: This code is to configure the TF providers:

The data.tf: This will get the state of your EKS cluster (in case you create it in another TF), get the EKS Cluster ID, and configure the IAM Policy (to allow you to use this policy inside of the EKS Cluster):

The vars.tf: This is the TF file that contains the variables used by the TF. It will define the AWS Region (eu-west-1), set the Kubernetes namespace that the IAM Policy can be used, the IAM Role name, and the IAM Policy name.

The policies/s3_policy.json: This is the policy that will allow the interaction between the K8s POD and AWS APIs. In this case, I’m allowing the POD to get objects from a specific S3 bucket in a specific path:

The policies/role_trust_relationship.json.tmpl: This is a template file and it will allow the POD to use the IAM role:

Now you can create all the resources:

This UrIoTNews article is syndicated fromDzone