Similar to assigning an IAM role to a ec2 instance to grant access to the applications running on it to access AWS services, you can assign an IAM role to each individual k8s service.
This will allow you to get finer control and only grant the access to aws resources that the pod really needs.
Add IdentityProvider
Create OpenID Connect provider. If you create using the console, it will calculate the CA thumbprint for you.
Provider Url
Copy from the OpenID Connect Provider URL (without the protocol).
example:
oidc.eks.us-east-2.amazonaws.com/id/ABD123ABD123ABD123ABD123
Audience
sts.amazonaws.com
Create IAM account(s)
Crate one IAM account per service.
Create a file with the policy document for the service (e.g. my-service-policy.json):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::1234512345:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/ABD123ABD123ABD123ABD123" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-east-2.amazonaws.com/id/ABD123ABD123ABD123ABD123:sub": "system:serviceaccount:my_namespace:my_service" } } } ] }
Create the IAM role using the aws cli:
aws iam create-role \ --region us-east-2 \ --role-name my-service-in-namespace \ --assume-role-policy-document file://my-service-policy.json
Assign any policies to this new IAM role that you want your service pods to be able to assume.
The arn for your the IAM role is going to look like:
arn:aws:iam::1234512345:role/my-service-in-namespace
where 1234512345 is your AWS account id.
Create K8s Service account
Create a service account for your service.
kubectl create sa my_service -n my_namespace
Link accounts
Annotate the k8s service account with the corresponding IAM role:
kubectl annotate sa my_service -n my_namespace eks.amazonaws.com/role-arn=arn:aws:iam::1234512345:role/my-service-in-namespace
Add service account to k8 service
apiVersion: apps/v1 kind: Deployment # ... spec: # ... template: spec: # ... serviceAccount: my-service
0 Comments