Creating an IAM role for ServiceAccount

Learn how to create a web identity IAM role and attach it with any Service account for an EKS cluster.

When we set up an EKS cluster, we apply rbac(role-based access control) to permit the pods to access the cluster and AWS resources. RBAC includes a ServiceAccount annotated with an IAM role which is finally used by the pod.

Source: AWS, Aman Ranjan Verma

To start with first, we need to set up an Identity provider followed by creating a web identity role. We then add policies to the role and finally attach the role to the service account.

Setting up Identity Provider

  • Open the IAM console at https://console.aws.amazon.com/iam/.
  • In the navigation panel, choose Identity Providers, and then choose Create Provider.
  • For Provider Type, choose Choose a provider type, and then choose OpenID Connect.
  • For the Provider URL, paste the OIDC issuer URL for your cluster.
$ aws eks describe-cluster — name cluster_name — query “cluster.identity.oidc.issuer” — output text
  • For Audience, type sts.amazonaws.com and choose the Next Step.
  • Verify that the provider information is correct, and then choose to Create your identity provider.
Left- IAM Identity Provider, Right- EKS Cluster | Source: AWS, Aman Ranjan Verma

Create an IAM Role

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation panel, choose Roles, Create Role.
  3. In the Select type of trusted entity section, choose Web identity.
  4. In the Choose a web identity provider section:
  5. For the Identity provider, choose the OIDC URL for your cluster.
  6. For Audience, choose sts.amazonaws.com.
  7. Click Next: Permissions.
  8. In the Attach Policy section, select the policy to use for your service account. Choose Next: Tags -> Next: Review.
  9. Give your role name choose Create Role.
  10. After the role is created, choose the role in the console to open it for editing.
  11. Choose the Trust relationships tab, and then choose Edit trust relationship.
  12. Edit the OIDC provider suffix and change it from :aud to :sub.
  13. Replace sts.amazonaws.com with your SERVICE_ACCOUNT_NAME.
  14. If necessary, change region-code.

The resulting line should look like this.

"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:SERVICE_ACCOUNT_NAMESPACE:SERVICE_ACCOUNT_NAME"

15. Choose Update Trust Policy to finish.

Associate the IAM role with a Kubernetes service account

apiVersion: v1
kind: ServiceAccount
metadata:
name: <ServiceAccountName>
namespace: <NameSpace>
annotations:
eks.amazonaws.com/role-arn: <RoleARN_FromTheLastStep>

The service account should be applied in the namespace where the pods are running.

To apply the service account: kubectl -f <sa_file_name.yaml>

Test

Now that we are done with the blog, I am hopeful that you had no difficulty following it. In case you faced any difficulty in following the blog, kindly comment below.

Reference:

Written by

Engineer who loves forest, mountains, and general science. https://www.linkedin.com/in/ar-verma/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store