How to enable Amazon EKS Pod Identity and assign role to Service account running workloads

Step by Step: How to Enable Amazon EKS Pod Identity and assign role to Service account

EKS Pod Identity is a feature introduced by Amazon EKS (Elastic Kubernetes Service) that simplifies how cluster administrators can configure Kubernetes applications to obtain AWS IAM (Identity and Access Management) permissions. Here are some advantages of using EKS Pod Identity:

1. Simplified IAM Permissions Configuration: EKS Pod Identity makes it easier to configure IAM permissions for Kubernetes applications. It reduces the number of steps required to configure IAM permissions by providing a simpler process through the EKS console, APIs, and CLI.
2. Reuse of Permission Policies: EKS Pod Identity enables the reuse of permission policies across IAM roles. This simplifies policy management and allows for the easy use of an IAM role across multiple clusters.
3. Fine-Grained IAM Management: With EKS Pod Identity, you can configure Kubernetes applications running on AWS with fine-grained AWS IAM. This allows for more granular control over IAM permissions for your applications.

These advantages make EKS Pod Identity a valuable feature for simplifying IAM permissions management and enhancing security and efficiency for cloud-native applications running on Amazon EKS clusters.

Step 1: Create an IAM role with required permissions and update the trust policy to allow Principal “pods.eks.amazonaws.com”

Step 2: Install add-on **“Amazon EKS Pod Identity Agent” **on the cluster and verifying that pod identity DaemonSet is running.

Click on Getmore Add-ons

Check/Select EKS Pod Identity Agent and click.

Click on Create:

This is will start EKS POD Identity DeamonSet in the kube-system namespace

Command Line of Step2:

$ aws eks create-addon \
--cluster-name REPLACEME_WITH_CLUSTER_NAME \
--addon-name eks-pod-identity-agent \
--addon-version v1.0.0-eksbuild.1

Step 3: Create Pod Identity Association

1. Identify the service account used for the pod

2. On the EKS Console- Select the cluster and go to Access Tab and click on Create Pod Identity association under the section “Pod Identity Associations”

3. Select the IAM Role, Namespace, and Service account and click on Create

4. There should now be an entry of association in Access tab of EKS Console

Step 4: Use the Service account in EKS to validate the access

1. Create a pod yaml configuration

####cat  aws-pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: aws-pod
  name: aws-pod
  namespace: demo
spec:
  serviceAccountName: demo-sa
  containers:
  - image: public.ecr.aws/aws-cli/aws-cli
    command:
      - "aws"
      - "s3"
      - "ls"
    name: aws-pod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

2. Start the Pod using the kubectl

$ kubectl create -f aws-pod.yaml

3. Verify the Pod has access to role and could use this role to create access the S3

$ kubectl logs -f aws-pod -n demo

Expected result – List of S3 buckets in the account