Open in app

Sign in

Write

Sign in

Accessing AWS resources from EKS pods by attaching AWS IAM Roles to EKS pods using the OIDC provider and EKS service account

Sudhanshu Dev
5 min readDec 18, 2022

In this article, I will explain to access AWS resources from EKS pods. There are a lot of use cases where we need to access AWS resources from your EKS pod. One way could be using AWS IAM user access and secret keys and this way is not secure and recommend. The best and recommended way is using IAM Role.

The EKS pod will bind to the k8s service account and the service account will be linked to the AWS IAM role. Using OIDC we can attach an IAM role to an EKS pod in an effortless way.

In this article, I will list AWS S3 bucket objects from the EKS pod.

Prerequisite for this article:
a) AWS Account.
b) AWS EKS Cluster.

Create an AWS S3 bucket and add objects to it:
a) Go to AWS S3 console and click on the “Create bucket”.

b) Fill in all the details like bucket name(demo-oidc-eks-pods), choose region etc and create the bucket. You can take reference from the link(https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)

c) Uploaded the three files “pic1.jpeg”, “pic2.jpeg” and “pic3.jpeg”.

Create OIDC Provider for EKS cluster:
a) Go to EKS cluster and copy the OIDC provider URL(inside green rectangle).

b) Go to IAM — — > Click on the Identity Provider — —> Click On Add provider.

c) Choose openid connect — -> Copy EKS OIDC url into “Provider URL” and click on “Get Thumbprint”. Enter “sts.amazonaws.com” into the Audience text box and click on “Add Provider”.

Create an IAM S3 policy named “demo-oidc-eks-pods-s3-policy”:
This policy will be attached to the IAM role. Below are the IAM policy details.

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::demo-oidc-eks-pods",
                "arn:aws:s3:::demo-oidc-eks-pods/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Create IAM Role and Trust Relationship with Identity Provider:

a) Go to AWS IAM — — > Roles — —>Create Role.

b) Choose web identity — → Select above created OIDC provider from Identity provider drop down — → choose sts.amazonaws.com from audience drop down— —> Click on Next.

c) Choose the IAM S3 policy created above and click on the next button.

Now any service account can use this role to assume it and access the AWS S3. To restrict this role to specific service account, we need to edit trust relationship of the IAM role.(Here we will restrict the IAM role to demo-sa service account)

a) Open the IAM role and edit the trust relationship.

We will update the above trust policy with the following policy, so that only demo-sa service account can only assume this IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::************:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/0982496550AB9B5FF18DB97248906CD4"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.ap-south-1.amazonaws.com/id/0982496550AB9B5FF18DB97248906CD4:sub": "system:serviceaccount:demo:demo-sa"
                }
            }
        }
    ]
}

Deploying demo app to AWS EKS Cluster:

a) Create demo namespace.

kubectl create ns demo

b) Create demo-sa service account. To make it easy just copy paste the given kubernets service account manifest file and add the IAM role arn, save it in demo-sa.yaml file and apply it.

apiVersion: v1
kind: ServiceAccount
metadata:
 name: demo-sa
 namespace: demo
 annotations:
   eks.amazonaws.com/role-arn: <AWS Role ARN>

c) Apply the service account manifest file.

kubectl apply -f demo-sa.yaml

d) Create kubernets mainfest file demo-pod.yaml to run a pod with demo-sa service account.

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: demo-app
  name: demo-app
  namespace: demo
spec:
  serviceAccountName: demo-sa
  initContainers:
  - image: amazon/aws-cli
    name: demo-aws-cli-container
    command: ['aws', 's3', 'ls', 's3://demo-oidc-eks-pods/']
  containers:
  - image: nginx
    name: demo-app
    ports:
    - containerPort: 80
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

e) Check the initContainer logs.

kubectl logs demo-app demo-aws-cli-container -n demo

Now you can see the three files that we uploaded into the AWS S3 buckets.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

AWS
Aws Eks
Aws Iam
Kubernetes
Iam Roles

--

--

Sudhanshu Dev
Sudhanshu Dev

Written by Sudhanshu Dev

54 Followers
68 Following

DevOps enthusiast & SRE with expertise in #AWS, #Kubernetes, #GitLab, Python, and Oracle Cloud automation. 💻🚀

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech