russau · August 2, 2024 01:34 · Aug 2, 2024 · Aug 2, 2024 · Aug 1, 2024 · Aug 1, 2024
diff --git a/demo-podid.md b/demo-podid.md
@@ -1,9 +1,12 @@
-# My pod wants to access AWS resources - pod-identity assoc
+# My pod wants to access AWS resources - pod-identity assoc 
 
 
 ## Pod identity association
 
 ```
+# install the addon into the cluster
+eksctl create addon --cluster quick-cluster --name eks-pod-identity-agent
+
 kubectl create serviceaccount sa-buckets-man
 
 # aws eks create-pod-identity-association \
@@ -12,12 +15,18 @@ kubectl create serviceaccount sa-buckets-man
 #  --service-account sa-buckets-man \
 #  --role-arn arn:aws:iam::414514743156:role/pods-s3-reader
 
+# currently blocked by SCP
+
 eksctl create podidentityassociation \
     --cluster quick-cluster \
     --namespace default \
     --service-account-name sa-buckets-man \
     --permission-policy-arns="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" 
 
+# while we wait go into the console and look at cloudformation and the role created
+
+
+
 kubectl run -ti --rm buckets-test \
   --image=amazon/aws-cli \
   --overrides='{ "spec": { "serviceAccount": "sa-buckets-man" }  }' \

diff --git a/demo-irsa.md b/demo-irsa.md
@@ -12,6 +12,8 @@ eksctl create iamserviceaccount --cluster=quick-cluster \
 # let's look at the service account
 kubectl get sa dynamo-sa -o yaml
 
+# we see the role that was created by eks - jump into the console and look at the trust policy on the role
+
 # launch a container with the new service account
 kubectl run -ti --rm super-pod-man \
   --image=amazon/aws-cli \

diff --git a/demo-podid.md b/demo-podid.md
@@ -6,11 +6,17 @@
 ```
 kubectl create serviceaccount sa-buckets-man
 
-aws eks create-pod-identity-association \
- --cluster-name quick-cluster \
- --namespace default \
- --service-account sa-buckets-man \
- --role-arn arn:aws:iam::414514743156:role/pods-s3-reader
+# aws eks create-pod-identity-association \
+#  --cluster-name quick-cluster \
+#  --namespace default \
+#  --service-account sa-buckets-man \
+#  --role-arn arn:aws:iam::414514743156:role/pods-s3-reader
+
+eksctl create podidentityassociation \
+    --cluster quick-cluster \
+    --namespace default \
+    --service-account-name sa-buckets-man \
+    --permission-policy-arns="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" 
 
 kubectl run -ti --rm buckets-test \
   --image=amazon/aws-cli \

diff --git a/demo-irsa.md b/demo-irsa.md
@@ -1,8 +1,18 @@
 # My pod wants to access AWS resources - irsa
 
 ```
+# set up trust between IAM and the EKS cluster OIDC provider
+eksctl utils associate-iam-oidc-provider --cluster=quick-cluster --approve
 
+# create a role and service account with dynamo db access
+eksctl create iamserviceaccount --cluster=quick-cluster \
+--name=dynamo-sa --namespace=default \
+--attach-policy-arn=arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess --approve
 
+# let's look at the service account
+kubectl get sa dynamo-sa -o yaml
+
+# launch a container with the new service account
 kubectl run -ti --rm super-pod-man \
   --image=amazon/aws-cli \
   --overrides='{ "spec": { "serviceAccount": "dynamo-sa" }  }' \

diff --git a/demo-irsa.md b/demo-irsa.md
@@ -0,0 +1,19 @@
+# My pod wants to access AWS resources - irsa
+
+```
+
+
+kubectl run -ti --rm super-pod-man \
+  --image=amazon/aws-cli \
+  --overrides='{ "spec": { "serviceAccount": "dynamo-sa" }  }' \
+  --command bash
+  
+# from inside the container
+aws dynamodb list-tables
+```
+
+Where does IRSA get its credentials from
+
+```
+aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --web-identity-token $(cat $AWS_WEB_IDENTITY_TOKEN_FILE) --role-session-name session1
+```
diff --git a/demo-podid.md b/demo-podid.md
@@ -1,4 +1,4 @@
-# My pod wants to access AWS resources - pod-identity assoc, and IRSA
+# My pod wants to access AWS resources - pod-identity assoc
 
 
 ## Pod identity association

diff --git a/demo-podid-irsa.md → demo-podid.md b/demo-podid-irsa.md → demo-podid.md
@@ -17,4 +17,13 @@ kubectl run -ti --rm buckets-test \
   --overrides='{ "spec": { "serviceAccount": "sa-buckets-man" }  }' \
   --command bash
 
-```
+# from inside the pod container
+aws s3api list-buckets
+
+```
+
+Where does pod identities get its credentials from
+
+```
+curl -H "Authorization: $(cat $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE)"  http://169.254.170.23/v1/credentials
+```
diff --git a/gistfile1.txt → demo-podid-irsa.md b/gistfile1.txt → demo-podid-irsa.md
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,20 @@
+# My pod wants to access AWS resources - pod-identity assoc, and IRSA
+
+
+## Pod identity association
+
+```
+kubectl create serviceaccount sa-buckets-man
+
+aws eks create-pod-identity-association \
+ --cluster-name quick-cluster \
+ --namespace default \
+ --service-account sa-buckets-man \
+ --role-arn arn:aws:iam::414514743156:role/pods-s3-reader
+
+kubectl run -ti --rm buckets-test \
+  --image=amazon/aws-cli \
+  --overrides='{ "spec": { "serviceAccount": "sa-buckets-man" }  }' \
+  --command bash
+
+```