Open in app

Sign in

Write

Sign in

How to use AWS IAM role on AWS EKS PODs

A native-AWS way to attach an IAM role into the Kubernetes POD, without third party software

Matheus Lozano
AWS Tips and Tricks
Published in
2 min readJan 22, 2021

--

Replica: https://dzone.com/articles/how-to-use-aws-iam-role-on-aws-eks-pods

Attach IAM Role to Kubernetes POD
Using an IAM Role in a Kubernetes POD

How it works

It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).

Benefits

There are quite a few benefits of using IRSA with Kubernetes PODs.

  • Granular restriction (per cluster, per namespace, etc.)
    It’s also possible to not use it
  • More flexible than the other tools
  • One less point of failure (maybe a few lesser)
  • Lesser resources consumption
  • More pods per node
  • Latency may reduce by ~50ms
    Especially for the first request
  • Prevent issues with caching the credentials
    This software takes a few minutes to update its cache.
  • Better auditing
    Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails
  • Easier to set up
  • AWS provides full support

Pre-requirements

There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.

  • An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL
  • AWS EKS cluster 1.13 or above
  • A trust relationship between your IAM Role and the OpenID Provider

Costs

There is no extra cost.

How to setup

There a few ways to set up, I’ll share how to do it via eksctl and terraform.

I didn’t add eksctl and terraform as pre-requirements, since you do it via AWS Console too.

Both tools eksctl or terraform, will set up the exact same thing (eksctldon’t create an IAM Policy). These tools will do:

  • Create an AWS OpenID Connect provider
  • Link the OIDC provider to the EKS OIDC URL
  • Create an IAM Role
  • Create an IAM Policy (only via terraform)
  • Attach the IAM Policy to the IAM Role
  • Set up the Trust Relationship between the IAM Role and the OpenID Connect provider
  • Create a Kubernetes ServiceAccount

Setting up with eksctl

Using eksctl may be easy for the first time, but it can be trick/hard to automate.

You can follow these scripts/steps:

Setting with terraform

I create a GitHub repository LozanoMatheus/eks-oidc, it’s straight forward to adapt to a real-world.

## Deploying```bash
terraform plan
```

```bash
terraform apply
```

Read more

IAM roles for service accounts

You can associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions…

docs.aws.amazon.com

Introducing fine-grained IAM roles for service accounts | Amazon Web Services

Here at AWS we focus first and foremost on customer needs. In the context of access control in Amazon EKS, you asked in…

aws.amazon.com

AWS
Aws Eks
Security
Aws Iam
Kubernetes

--

--

Matheus Lozano
AWS Tips and Tricks

Written by Matheus Lozano

Editor for

A SysAdmin who love to automate everything — DevSecOps, SRE and Chaos Engineer, let's share our skills.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams