Skip to content

Instantly share code, notes, and snippets.

@russau

russau/demo-irsa.md

Last active August 2, 2024 01:34
Show Gist options
  • Save russau/60b58054133d353adfbe81ba134edfac to your computer and use it in GitHub Desktop.
Save russau/60b58054133d353adfbe81ba134edfac to your computer and use it in GitHub Desktop.
Download ZIP
Raw
demo-irsa.md

My pod wants to access AWS resources - irsa

# set up trust between IAM and the EKS cluster OIDC provider
eksctl utils associate-iam-oidc-provider --cluster=quick-cluster --approve

# create a role and service account with dynamo db access
eksctl create iamserviceaccount --cluster=quick-cluster \
--name=dynamo-sa --namespace=default \
--attach-policy-arn=arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess --approve

# let's look at the service account
kubectl get sa dynamo-sa -o yaml

# we see the role that was created by eks - jump into the console and look at the trust policy on the role

# launch a container with the new service account
kubectl run -ti --rm super-pod-man \
  --image=amazon/aws-cli \
  --overrides='{ "spec": { "serviceAccount": "dynamo-sa" }  }' \
  --command bash
  
# from inside the container
aws dynamodb list-tables

Where does IRSA get its credentials from

aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --web-identity-token $(cat $AWS_WEB_IDENTITY_TOKEN_FILE) --role-session-name session1
Raw
demo-podid.md

My pod wants to access AWS resources - pod-identity assoc

Pod identity association

# install the addon into the cluster
eksctl create addon --cluster quick-cluster --name eks-pod-identity-agent

kubectl create serviceaccount sa-buckets-man

# aws eks create-pod-identity-association \
#  --cluster-name quick-cluster \
#  --namespace default \
#  --service-account sa-buckets-man \
#  --role-arn arn:aws:iam::414514743156:role/pods-s3-reader

# currently blocked by SCP

eksctl create podidentityassociation \
    --cluster quick-cluster \
    --namespace default \
    --service-account-name sa-buckets-man \
    --permission-policy-arns="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" 

# while we wait go into the console and look at cloudformation and the role created



kubectl run -ti --rm buckets-test \
  --image=amazon/aws-cli \
  --overrides='{ "spec": { "serviceAccount": "sa-buckets-man" }  }' \
  --command bash

# from inside the pod container
aws s3api list-buckets

Where does pod identities get its credentials from

curl -H "Authorization: $(cat $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE)"  http://169.254.170.23/v1/credentials
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment