Enable IAM roles for Service Account

Copy OpenID Connect provider URL from the EKS cluster.

If you prefer to use AWS CLI, you can run the following AWS CLI command. Replace CLUSTER_NAME with your cluster name.

aws eks describe-cluster --name CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text

Create an IAM OIDC identity provider.

1. Navigate to IAM console

2. Choose Identity Providers and then choose Create Provider

3. Select OpenID Connect for provider type

4. Paste the Provider URL copied in the above

5. Under Audience type sts.amazonaws.com

6. Verify and create the provider

Note: IAM roles for service accounts feature is available on EKS clusters that were created with 1.14 or upgraded to 1.13 or 1.14 on or after September 3rd, 2019. If your EKS cluster does not meet this, time to update the version to take advantage of this feature.

Create IAM roles for Service account

Now our cluster is ready to use IAM for service accounts. Let’s create an IAM role so that we can assign this IAM role to pods.

Create an IAM role that can be assumed only from a specific namespace with the following Trust Policy and IAM policy as per your requirement. Following trust policy allows any Service account in the given Namespace. If you would like to restrict to a particular service account then replace * with a service account name which allows only that service account to assume this role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::1111111111:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/XXXXXXX" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "oidc.eks.ap-southeast-1.amazonaws.com/id/XXXXXXX:sub": "system:serviceaccount: NAMESPACE :*" }

}

}

]

}

Replace:

1111111111 — AWS account ID

XXXXXXX — URI path of OpenID Connect provider URL,

NAMESPACE — Namespace name where you are running your pods.

Alternatively, you can use the following AWS CLI script to create the role.

Let's create a Namespace(demo) and deploy a pod and verify if it can assume the role.

Create Namespace

namespace.yaml

kubectl apply -f namespace.yaml

Create Service account

serviceaccount.yaml

kubectl apply -f serviceaccount.yaml

Create Deployment

Define the service account in the pod spec and deploy.

deployment.yaml

kubectl apply -f deployment.yaml

Verify:

Exec into the container and run AWS CLI commands to verify.

kubectl get pods -n demo

Copy any of pod Name and exec into it(replace podname).

kubectl -n demo exec -it <podname> — bash

I used the default httpd image in pod definition which does not have AWS CLI installed by default. Install the AWS CLI and verify it.

Additional Resources:

[1] Release Notes

[2] EKS Documentation

[3] Official blog post