Creating an IAM role and
policy for your service account
You must create an IAM policy that specifies the permissions that you would like the
containers in your pods to have. You have several ways to create a new IAM permission
policy. One way is to copy a complete AWS managed policy that already does some of
what you're looking for and then customize it to your specific requirements. For more
information, see Creating a New
Policy in the IAM User Guide.
You must also create an IAM role for your Kubernetes service accounts to use before
you associate it with a service account. The trust relationship is scoped to your
cluster and service account so that each cluster and service account combination
requires its own role. You can then attach a specific IAM policy to the role that
gives the containers in your pods the permissions you desire. The following procedures
describe how to do this.
Create an IAM policy
In this procedure, we offer two example policies that you can use for your
application:
-
A policy to allow read-only access to an Amazon S3 bucket. You could store
configuration information or a bootstrap script in this bucket, and the
containers in your pod can read the file from the bucket and load it
into your application.
-
A policy to allow paid container images from AWS Marketplace.
Open the IAM console at
https://console.aws.amazon.com/iam/.
-
In the navigation panel, choose Policies and then
choose Create policy.
-
Choose the JSON tab.
-
In the Policy Document field, paste one of the
following policies to apply to your service accounts, or paste your own
policy document into the field. You can also use the visual editor to
construct your own policy.
The example below allows permission to the
my-pod-secrets-bucket Amazon S3 bucket. You can
modify the policy document to suit your specific needs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-pod-secrets-bucket/*"
]
}
]
}
The example below gives the required permissions to use a paid container
image from AWS Marketplace.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:RegisterUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
-
Choose Review policy.
-
Enter a name and description for your policy and then choose
Create policy.
-
Record the Amazon Resource Name (ARN) of the policy to use later when you create your
role.
Create an IAM role for a service
account
Create an IAM role for your Kubernetes service account. You can use
eksctl, the AWS Management Console, or the AWS CLI to create the role.
Prerequisites
-
An existing cluster. If you don't have one, you can create one using one
of the Getting started with Amazon EKS
guides.
-
If using the AWS Management Console or AWS CLI to create the role, then you must have an
existing IAM OIDC provider for your cluster. For more information, see
Create an IAM OIDC provider
for your cluster.
-
An existing IAM policy that includes the permissions for the AWS
resources that your service account needs access to. For more information,
see Create an IAM policy.
You can create the IAM role with eksctl, the AWS Management Console, or the
AWS CLI. Select the tab with the name of the tool that you want to create the role
with.
- eksctl
-
Create the service account and IAM role with the following command.
Replace the example values
eksctl create iamserviceaccount \
--name kubernetes_service_account_name \
--namespace kubernetes_service_account_namespace \
--cluster my-cluster \
--attach-policy-arn IAM_policy_ARN \
--approve \
--override-existing-serviceaccounts
An AWS CloudFormation template is deployed that creates an IAM role and attaches
the IAM policy to it. The role is associated with a Kubernetes service
account. If your cluster didn't have an existing IAM OIDC provider,
one was created. If the service account doesn't exist, it is created in
the namespace that you provided. If the service account does exist, then
it is annotated with
eks.amazonaws.com/role-arn:arn:aws:iam::your-account-id:role/iam-role-name-that-was-created.
- AWS Management Console
-
-
Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
-
Select the name of your cluster and then select the Configuration tab.
-
In the Details section, note the value of the OpenID Connect provider URL.
Open the IAM console at
https://console.aws.amazon.com/iam/.
In the navigation panel, choose Roles, Create Role.
In the Select type of trusted entity section, choose Web identity.
-
In the Choose a web identity provider
section:
-
For Identity provider, choose the
URL for your cluster.
-
For Audience, choose
sts.amazonaws.com.
Choose Next: Permissions.
-
In the Attach Policy section, select the IAM policy that has the permissions
that you want your service account to use.
Choose Next: Tags.
On the Add tags (optional) screen, you can add tags for the account. Choose Next: Review.
-
For Role Name, enter a name for your role and then choose Create Role.
-
After the role is created, choose the role in the console to open it for editing.
-
Choose the Trust relationships tab, and then choose Edit trust relationship.
-
Find the line that looks similar to the following:
"oidc.eks.region-code/id/EXAMPLED539D4633E53DE1B716D3041E:aud": "sts.amazonaws.com"
Change the line to look like the following line. Replace
EXAMPLED539D4633E53DE1B716D3041Eregion-code with the Region code
that your cluster is in. Replace aud
with sub and replace
KUBERNETES_SERVICE_ACCOUNT_NAMESPACE
and KUBERNETES_SERVICE_ACCOUNT_NAME
with the name of your Kubernetes service account and the
Kubernetes namespace that the account exists in.
"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:KUBERNETES_SERVICE_ACCOUNT_NAMESPACE:KUBERNETES_SERVICE_ACCOUNT_NAME"
If you don't have an existing Kubernetes service
account, then you need to create one. For more information,
see Configure Service Accounts for Pods in the
Kubernetes documentation. For the service account to be able
to use Kubernetes permissions, you must create a
Role, or ClusterRole and then
bind the role to the service account. For more information,
see Using RBAC Authorization in the Kubernetes
documentation. When the AWS
VPC CNI plugin is deployed, for example, the
deployment manifest creates a service account, cluster role,
and cluster role binding. You can view themanifest on GitHub.
-
Choose Update Trust Policy to finish.
- AWS CLI
-
-
Set your AWS account ID to an environment variable with the
following command.
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
-
Set your OIDC identity provider to an environment variable
with the following command. Replace the
example values
You must use at least version 1.22.30 or
2.4.9 of the AWS CLI to receive the proper
output from this command. For more information, see Installing the AWS CLI in the
AWS Command Line Interface User Guide.
OIDC_PROVIDER=$(aws eks describe-cluster --name cluster-name --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
-
Copy the following code block to your computer and replace the
example values
read -r -d '' TRUST_RELATIONSHIP <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": "system:serviceaccount:my-namespace:my-service-account"
}
}
}
]
}
EOF
echo "${TRUST_RELATIONSHIP}" > trust.json
-
Run the modified code block from the previous step to create a
file named
trust.json
-
Run the following AWS CLI command to create the role.
aws iam create-role --role-name IAM_ROLE_NAME --assume-role-policy-document file://trust.json --description "IAM_ROLE_DESCRIPTION"
-
Run the following command to attach your IAM policy to your
role.
aws iam attach-role-policy --role-name IAM_ROLE_NAME --policy-arn=IAM_POLICY_ARN
