• Matheus Lozano

How to use AWS IAM role on AWS EKS PODs

A native-AWS way to attach an IAM role into the Kubernetes POD, without third party software

Attach IAM Role to Kubernetes POD
Using an IAM Role in a Kubernetes POD

Replica: https://lozanomatheus.medium.com/5e9e7bb1de9a?source=friends_link&sk=4703252173e37c992d871277967d59c7


How it works

It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).


Benefits

There are quite a few benefits of using IRSA with Kubernetes PODs.

  • Granular restriction (per cluster, per namespace, etc.) It’s also possible to not use it

  • More flexible than the other tools

  • One less point of failure (maybe a few lesser)

  • Lesser resources consumption

  • More pods per node

  • Latency may reduce in ~50ms Especially for the first request

  • Prevent issues with caching the credentials These software takes a few minutes to update their cache.

  • Better auditing Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails

  • Easier to set up

  • AWS provides full support

  • No extra cost


Pre-requirements

There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.

  • An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL

  • AWS EKS cluster 1.13 or above

  • A trust relationship between your IAM Role and the OpenID Provider


Costs

There is no extra cost.

How to setup

There a few ways to set up, I’ll share how to do it via eksctl and terraform.

I didn’t add eksctl and terraform as pre-requirements, since you do it via AWS Console too.

Both tools eksctl or terraform, will set up the exact same thing (eksctl don’t create an IAM Policy). These tools will do:

  • Create an AWS OpenID Connect provider

  • Link the OIDC provider to the EKS OIDC URL

  • Create an IAM Role

  • Create an IAM Policy (only via terraform)

  • Attach the IAM Policy to the IAM Role

  • Set up the Trust Relationship between the IAM Role and the OpenID Connect provider

  • Create a Kubernetes ServiceAccount



Setting up with eksctl

Using eksctl may be easy for the first time, but it can be trick/hard to automate.


You can follow these scripts/steps:



Setting with terraform

I create a GitHub repository LozanoMatheus/eks-oidc, it’s straight forward to adapt to a real-world.

IAM roles for service accounts


Introducing fine-grained IAM roles for service accounts

0 comments