EKS Pod Identity is a feature introduced by Amazon EKS (Elastic Kubernetes Service) that simplifies how cluster administrators can configure Kubernetes applications to obtain AWS IAM (Identity and Access Management) permissions.
Step by Step: How to Enable Amazon EKS Pod Identity and assign role to Service account
EKS Pod Identity is a feature introduced by Amazon EKS (Elastic Kubernetes Service) that simplifies how cluster administrators can configure Kubernetes applications to obtain AWS IAM (Identity and Access Management) permissions. Here are some advantages of using EKS Pod Identity:
- Simplified IAM Permissions Configuration: EKS Pod Identity makes it easier to configure IAM permissions for Kubernetes applications. It reduces the number of steps required to configure IAM permissions by providing a simpler process through the EKS console, APIs, and CLI.
- Reuse of Permission Policies: EKS Pod Identity enables the reuse of permission policies across IAM roles. This simplifies policy management and allows for the easy use of an IAM role across multiple clusters.
- Fine-Grained IAM Management: With EKS Pod Identity, you can configure Kubernetes applications running on AWS with fine-grained AWS IAM. This allows for more granular control over IAM permissions for your applications.
These advantages make EKS Pod Identity a valuable feature for simplifying IAM permissions management and enhancing security and efficiency for cloud-native applications running on Amazon EKS clusters.
Step 1: Create an IAM role with required permissions and update the trust policy to allow Principal “pods.eks.amazonaws.com”
Step 2: Install add-on **“Amazon EKS Pod Identity Agent” **on the cluster and verifying that pod identity DaemonSet is running.
Click on Getmore Add-ons
Check/Select EKS Pod Identity Agent and click.
Click on Create:
This is will start EKS POD Identity DeamonSet in the kube-system namespace
Command Line of Step2:
$ aws eks create-addon \
--cluster-name REPLACEME_WITH_CLUSTER_NAME \
--addon-name eks-pod-identity-agent \
--addon-version v1.0.0-eksbuild.1
Step 3: Create Pod Identity Association
-
Identify the service account used for the pod
-
On the EKS Console- Select the cluster and go to Access Tab and click on Create Pod Identity association under the section “Pod Identity Associations”
-
Select the IAM Role, Namespace, and Service account and click on Create
-
There should now be an entry of association in Access tab of EKS Console
Step 4: Use the Service account in EKS to validate the access
- Create a pod yaml configuration
####cat aws-pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: aws-pod
name: aws-pod
namespace: demo
spec:
serviceAccountName: demo-sa
containers:
- image: public.ecr.aws/aws-cli/aws-cli
command:
- "aws"
- "s3"
- "ls"
name: aws-pod
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
- Start the Pod using the kubectl
$ kubectl create -f aws-pod.yaml
- Verify the Pod has access to role and could use this role to create access the S3
$ kubectl logs -f aws-pod -n demo
Expected result – List of S3 buckets in the account