Configuring the VPC CNI plugin to use IAM roles for service accounts
The Amazon VPC CNI plugin for
Kubernetes
-
Requires IAM permissions, provided by the AWS managed policy
AmazonEKS_CNI_Policy
, to make calls to AWS APIs on your behalf. -
Creates and is configured to use a service account named
aws-node
when it's deployed. The service account is bound to a Kubernetesclusterrole
namedaws-node
, which is assigned the required Kubernetes permissions.
Regardless of whether you configure the VPC CNI plugin to use IAM roles for service accounts, the pods also have access to the permissions assigned to the Amazon EKS node IAM role, unless you block access to IMDS. For more information, see Restricting access to the IMDS and Amazon EC2 instance profile credentials.
[eksctl
]
-
Create an IAM role and attach the
AmazonEKS_CNI_Policy
managed IAM policy with the following command. Replace<cluster_name>
with your own value. This command creates an IAM OIDC provider for your cluster if it doesn't already exist. It then deploys an AWS CloudFormation stack that creates an IAM role, attaches theAmazonEKS_CNI_Policy
AWS managed policy to it, and annotates the existingaws-node
service account with the ARN of the IAM role.eksctl create iamserviceaccount \ --name aws-node \ --namespace kube-system \ --cluster <cluster_name> \ --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \ --approve \ --override-existing-serviceaccounts
-
Describe one of the pods and verify that the
AWS_WEB_IDENTITY_TOKEN_FILE
andAWS_ROLE_ARN
environment variables exist.kubectl exec -n kube-system aws-node-<9rgzw> env | grep AWS
Output:
AWS_VPC_K8S_CNI_LOGLEVEL=DEBUG AWS_ROLE_ARN=arn:aws:iam::<111122223333>:role/eksctl-prod-addon-iamserviceaccount-kube-sys-Role1-<V66K5I6JLDGK> AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
[AWS Management Console]
Prerequisite
You must have an existing IAM OIDC provider for your cluster. To determine whether you already do or to create one, see Create an IAM OIDC provider for your cluster.
To create your CNI plugin IAM role with the AWS Management Console
-
In the navigation panel, choose Roles, Create Role.
-
In the Select type of trusted entity section, choose Web identity.
-
In the Choose a web identity provider section:
-
For Identity provider, choose the URL for your cluster.
-
For Audience, choose
sts.amazonaws.com
.
-
-
Choose Next: Permissions.
-
In the Attach Policy section, select the
AmazonEKS_CNI_Policy
policy to use for your service account. -
Choose Next: Tags.
-
On the Add tags (optional) screen, you can add tags for the account. Choose Next: Review.
-
For Role Name, enter a name for your role, such as
AmazonEKSCNIRole
, and then choose Create Role. -
After the role is created, choose the role in the console to open it for editing.
-
Choose the Trust relationships tab, and then choose Edit trust relationship.
-
Find the line that looks similar to the following:
"oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:aud": "sts.amazonaws.com"
Change the line to look like the following line. Replace
<EXAMPLED539D4633E53DE1B716D3041E>
(including<>
)with your cluster's OIDC provider ID and replace <region-code> with the Region code that your cluster is in."oidc.eks.<region-code>.amazonaws.com/id/<EXAMPLED539D4633E53DE1B716D3041E>:sub": "system:serviceaccount:kube-system:aws-node"
-
Choose Update Trust Policy to finish.
To annotate
the aws-node
Kubernetes service account with the IAM
role
-
If you're using the Amazon EKS add-on with a 1.18 or later Amazon EKS cluster with platform version eks.3 or later, see Configure an Amazon EKS add-on, instead of completing this procedure. If you're not using the Amazon VPC CNI Amazon EKS add-on, then use the following command to annotate the
aws-node
service account with the ARN of the IAM role that you created previously. Be sure to substitute your own values for the<example values>
to use with your pods.kubectl annotate serviceaccount \ -n kube-system aws-node \ eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AmazonEKSCNIRole>
-
Delete and re-create any existing pods that are associated with the service account to apply the credential environment variables. The mutating web hook does not apply them to pods that are already running. The following command deletes the existing the
aws-node
DaemonSet pods and deploys them with the service account annotation.kubectl delete pods -n kube-system -l k8s-app=aws-node
-
Confirm that the pods all restarted.
kubectl get pods -n kube-system -l k8s-app=aws-node
-
Describe one of the pods and verify that the
AWS_WEB_IDENTITY_TOKEN_FILE
andAWS_ROLE_ARN
environment variables exist.kubectl exec -n kube-system aws-node-<9rgzw> env | grep AWS
Output:
AWS_VPC_K8S_CNI_LOGLEVEL=DEBUG AWS_ROLE_ARN=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME> AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
Remove the CNI policy from the node IAM role
If your Amazon EKS node IAM role currently has the
AmazonEKS_CNI_Policy
IAM policy attached to it, and you've
created a separate IAM role, attached the policy to it instead, and assigned
it to the aws-node
Kubernetes service account, then we recommend
that you remove the policy from your node role.
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the left navigation, choose Roles, and then search for your node instance role.
-
Choose the Permissions tab for your node instance role and then choose the X to the right of the
AmazonEKS_CNI_Policy
. -
Choose Detach to finish.