EKS Pod and AWS Service Integration

# EKS Pod and AWS Service Integration # **DIAGRAM** ![image](https://hackmd.io/_uploads/SJnSMOf1kx.png) **REF**: [Kubernetes RBAC with AWS IAM integration](https://www.notion.so/Kubernetes-RBAC-with-AWS-IAM-integration-b9cce075dd94408583a0529fb8565212?pvs=21) # **EKS Pod and AWS IAM Integration:** ## **1. Create IAM Roles:** + Create an IAM role with the necessary **permissions** for our **Pods**. ```java resource "aws_iam_role" "pod_role" { name = "${var.service_name}-eksPodRole" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${var.eks_oidc_provider.arn}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${var.eks_oidc_provider.url}:sub": "system:serviceaccount:${var.service_name}:${local.service_account_name}", "${var.eks_oidc_provider.url}:aud": "sts.amazonaws.com" } } } ] } EOF } ``` + Define policies and attach them to the role. ```java resource "aws_iam_policy" "policy" { name = "${var.service_name}-policy" description = "IAM Policy for pod role" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Action": [ // Define actions ], "Resource": [ // Define resources ] } ] } EOF } ``` ## **2. Create a Kubernetes Service Account:** + Create a Kubernetes Service Account that our Pods will use. This account is associated with an IAM role. ```java resource "kubernetes_annotations" "default" { api_version = "v1" kind = "ServiceAccount" metadata { name = "default" namespace = var.service_name } } ``` + Configure a default service account for each namespace. ![image](https://hackmd.io/_uploads/S1wKzOG11e.png) Docs: https://kubernetes.io/docs/concepts/security/service-accounts/ ## **3. Associate IAM Role with Service Account:** + Annotate Kubernetes Service Account with the IAM role ARN using an annotation. ```java resource "kubernetes_annotations" "default" { api_version = "v1" kind = "ServiceAccount" metadata { name = local.service_account_name namespace = var.service_name } annotations = { "eks.amazonaws.com/role-arn" = aws_iam_role.pod_role.arn } } ``` Docs: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations ## **4. Update the Pod Spec** + Update Pod specifications from [_helper.tpl](https://github.com/c0x12c/infra-helm/blob/master/charts/spartan/templates/_helpers.tpl#L95) to use the Service Account we created. ```java {{- define "spartan.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} {{- default (include "spartan.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }}5. Install and Configure IAM Roles for Service Accounts (IRSA): ``` Docs: https://helm.sh/docs/chart_template_guide/named_templates/ + Add the `serviceAccountName` field to the Pod spec. ```java spec: serviceAccountName: {{ include "spartan.serviceAccountName" . }} ``` Docs: https://kubernetes.io/docs/concepts/workloads/pods/ ## **6. Update Trust Relationship in IAM Role:** + For EKS, we need to enable IAM Roles for Service Accounts. We have to create an OIDC identity provider for our cluster and updating the cluster's OIDC provider URL in the AWS Console. ```java data "tls_certificate" "eks" { url = aws_eks_cluster.master.identity[0].oidc[0].issuer } resource "aws_iam_openid_connect_provider" "eks" { client_id_list = ["sts.amazonaws.com"] thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint] url = var.oidc_url } ``` Docs: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/