Access S3 Buckets from AWS EKS Cluster using IRSA

To provide access to Amazon S3 using IAM Roles for Service Accounts (IRSA) from an Amazon EKS cluster, you can follow these steps:

1. Create an IAM Policy:
— Create an IAM policy that grants the necessary permissions to access the desired S3 resources. For example, you can create a policy named “s3-access-policy” with the appropriate permissions.

2. Create an IAM Role:
— Create an IAM role that assumes the IAM policy you created in the previous step. For example, you can create a role named “s3-access-role” and attach the “s3-access-policy” to it.

3. Annotate the Kubernetes Service Account:
— Annotate the Kubernetes Service Account associated with your workload with the IAM role and ARN you created in the previous steps. You can add annotations to the `metadata` section of the Service Account definition.

Here’s an example of a Service Account YAML file with the necessary annotations:

apiVersion: v1
 kind: ServiceAccount
 metadata:
 name: my-service-account
 annotations:
 eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/s3-access-role

4. Configure IRSA in EKS:
— Enable IAM Roles for Service Accounts (IRSA) in your EKS cluster by creating an OpenID Connect (OIDC) provider and updating the cluster’s configuration.

- Create an OIDC provider using the AWS CLI:

aws eks update-cluster-config - name <cluster-name> - region <region> - update-config file://configmap-aws-auth.yaml

- The `configmap-aws-auth.yaml` file should contain the necessary configuration for the OIDC provider. You can find an example in the EKS documentation.

5. Deploy and Test the Application:
— Deploy your workload (such as a Pod or Deployment) that needs access to S3, using the annotated Service Account.

- Within your application or container, use the AWS SDK or AWS CLI to interact with S3 using the appropriate AWS SDK credentials retrieval method. The SDK or CLI will automatically retrieve the necessary credentials based on the IAM role assigned to the Service Account.

That’s it! With these steps, you have provided access to Amazon S3 using an IAM role via IAM Roles for Service Accounts (IRSA) from your EKS cluster. Ensure that the IAM role and policy have the required permissions to interact with the desired S3 resources.