IAM Roles for Velero Service Accounts⚓︎
Note
Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.
Velero AWS plugin requires access to AWS resources. Follow the steps below to create a required role:
-
Create AWS IAM Policy "AWSIRSA‹CLUSTER_NAME›‹VELERO_NAMESPACE›Velero_policy":
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::velero-*/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::velero-*" ] } ] } -
Create AWS IAM Role "AWSIRSA‹CLUSTER_NAME›‹VELERO_NAMESPACE›Velero" with trust relationships:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<OIDC_PROVIDER>:sub": "system:serviceaccount:<VELERO_NAMESPACE>:edp-velero" } } } ] } -
Attach the "AWSIRSA‹CLUSTER_NAME›‹VELERO_NAMESPACE›Velero_policy" policy to the "AWSIRSA‹CLUSTER_NAME›‹VELERO_NAMESPACE›Velero" role.
-
Make sure that Amazon S3 bucket with name velero-‹CLUSTER_NAME› exists.
-
Provide key value eks.amazonaws.com/role-arn: "arn:aws:iam::
:role/AWSIRSA‹CLUSTER_NAME›‹VELERO_NAMESPACE›Velero" into the serviceAccount.server.annotations parameter in values.yaml during the Velero Installation.