Authenticate To AWS Services Using IAM Service Account
Connecting applications to AWS services from inside an Amazon Elastic Kubernetes Service (EKS) cluster is streamlined through native integration. Leveraging Kubernetes-native constructs like ServiceAccounts and IAM roles for pods, applications can securely access various AWS services using AWS SDKs. This enhances scalability and flexibility while maintaining robust security protocols.
Below document is an example of connecting to S3 from inside of EKS cluster.
Pre-requisites
Step 1 - Get the OIDC provider
Get the OIDC issuer URL and check if the OIDC provider exists
Step 2 - Create service account name
-
Go to Workspaces tab from the left panel of the portal and create the workspace with same name as of your namespace
$APP_NS
- Click on
+ New Workspace
. If you already have a workspace created click on the Edit section from the right side of the workspace card. You can skip the next step. - Select the cluster where you want to create the serviceaccount and enter the name of the workspace (namespace).\
- Click on
Step 3 - Create a IAM role
3(A) - Export the bucket name
We will create a role which has S3 permissions on the bucket S3_BUCKET
3(B) Create an IAM role
-
Create an following assume role policy
-
Create an IAM role using this assume role policy
3(C) - Export the IAM policy
- Create the IAM policy with the required permissions.
-
Create the policy
3(D) - Attach the policy to IAM role
-
Attach the policy to the IAM role
Step 4 - Annotate the serviceaccount with IAM role ARN
- Head over to the Workspaces tab from the left panel from the TrueFoundry platform.
- Click on the pencil icon to edit the workspace.
- Scroll down the service account section and add the
$IAM_ROLE_ARN
place ofAws Iam Role Arn
\ - Click on
Update
Step 5 - Test
-
Run a pod and test if you are able to perform operations on the AWS S3 bucket
-
Go inside the pod and execute the following command
-
Run the command