Skip to content

Associate IAM Roles With Service Accounts⚓︎

This page contains accurate information on how to associate an IAM role with the service account (IRSA) in EPAM Delivery Platform.

Get acquainted with the AWS Official Documentation on the subject before proceeding.

Common Configuration of IAM Roles With Service Accounts⚓︎

To successfully associate the IAM role with the service account, follow the steps below:

  1. Create an IAM role that will further be associated with the service account. This role must have the following trust policy:

    IAM Role

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "<OIDC_PROVIDER>:sub": "system:serviceaccount:<SERVICE_ACCOUNT_NAMESPACE>:<SERVICE_ACCOUNT_NAME>"
            }
          }
        }
      ]
    }
    

    View cluster's ‹OIDC_PROVIDER› URL.

      aws eks describe-cluster --name <CLUSTER_NAME> --query "cluster.identity.oidc.issuer" --output text
    

    Example output:

      https://oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E
    

    ‹OIDC_PROVIDER› in this example will be:

      oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E
    
  2. Deploy the amazon-eks-pod-identity-webhook v0.2.0.

    Note

    The amazon-eks-pod-identity-webhook functionality is provided out of the box in EKS v1.21 and higher. This does not apply if the cluster has been upgraded from older versions. Therefore, skip step 2 and continue from step 3 in this documentation.

    2.1. Provide the stable(ed8c41f) version of the Docker image in the deploy/deployment-base.yaml file.

    2.2. Provide ${CA_BUNDLE}_in the_deploy/mutatingwebhook.yaml file:

      secret_name=$(kubectl -n default get sa default -o jsonpath='{.secrets[0].name}') \
      CA_BUNDLE=$(kubectl -n default get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n')
    

    2.3. Deploy the Webhook:

      kubectl apply -f deploy/
    

    2.4. Approve the csr:

      csr_name=$(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}')
      kubectl certificate approve $csr_name
    
  3. Annotate the created service account with the IAM role:

    Service Account

      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: <SERVICE_ACCOUNT_NAME>
        namespace: <NAMESPACE>
        annotations:
          eks.amazonaws.com/role-arn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
    
  4. All newly launched pods with this service account will be modified and then use the associated IAM role. Find below the pod specification template:

    Pod Template

      apiVersion: v1
      kind: Pod
      metadata:
        name: irsa-test
        namespace: <POD_NAMESPACE>
      spec:
        serviceAccountName: <SERVICE_ACCOUNT_NAME>
        securityContext:
          fsGroup: 65534
        containers:
        - name: terraform
          image: epamedp/edp-jenkins-terraform-agent:2.0.4
          command: ['sh', '-c', 'aws sts "get-caller-identity" && sleep 3600']
    
  5. Check the logs of the created pod from the template above.

    Example output:

      {
      "UserId": "XXXXXXXXXXXXXXXXXXXXX:botocore-session-XXXXXXXXXX",
      "Account": "XXXXXXXXXXXX",
      "Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/AWSIRSATestRole/botocore-session-XXXXXXXXXX"
      }
    

    As a result, it is possible to perform actions in AWS under the AWSIRSATestRole role.