Using IAM Roles for EKS Pods with ServiceAccounts

Elastic Kubernetes Service (EKS) is a powerful AWS managed Kubernetes solution that simplifies running containerised applications at scale. One of the many challenges in Kubernetes is managing access to AWS services from within your pods. For secure and fine-grained access control, EKS allows pods to assume IAM roles directly.
In this blog post, I’ll explain how to implement IAM roles for EKS pods by deploying service accounts using eksctl.

📚 This guide is at a beginner level difficulty. 📚

Why Use IAM Roles for EKS Pods?

Here are a few benefits to assigning IAM roles to pods instead of nodes:

Fine-Grained Access Control: Each pod can be assigned its own IAM role, limiting its permissions to only what is necessary.
Improved Security: Reduces the blast radius in case of a compromised pod by isolating access permissions.
Scalability: Avoids the need to manage permissions at the node level, which can become cumbersome in large clusters.

Prerequisites

Before the step-by-step, ensure you have the following:

An EKS Cluster: You should already have an EKS cluster running.
AWS CLI Configured: Ensure you have access to your AWS account and the necessary permissions to create IAM roles and policies.
kubectl Installed: Install kubectl from here.
eksctl Installed: Install eksctl from here.

Step 1: Create an OIDC Provider for the EKS Cluster

Your EKS cluster must have an OpenID Connect (OIDC) provider associated with it to allow IAM roles for service accounts. You can create an OIDC provider using eksctl:

eksctl utils associate-iam-oidc-provider \
  --region <REGION> \
  --cluster <CLUSTER-NAME> \
  --approve

Use your own region and cluster name here.
This command enables us to use IAM roles for serviceaccounts, by associating the IAM OIDC provider with the EKS cluster.

Step 2: Create a Policy for the EKS Pod

Create an IAM policy that defines the AWS services and actions your pods require. For example, if your pod needs access to an S3 bucket, you can create the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<BUCKET-NAME>/*"
        }
    ]
}

You can get this policy and any other code I share from my GitHub.
Save this policy as s3-access-policy.json and create the policy in AWS:

aws iam create-policy \
  --policy-name S3AccessPolicy \
  --policy-document file://s3-access-policy.json

Note the ARN of the created policy.

Step 3: Create an IAM Role and Associate It with the OIDC Provider

Use eksctl to create an IAM role associated with the service account:

eksctl create iamserviceaccount \
  --name s3-access \
  --namespace default \
  --cluster your-cluster-name \
  --attach-policy-arn arn:aws:iam::z<ACCOUNT>:policy/S3AccessPolicy \
  --approve

This command will:

Create a Kubernetes service account in the specified namespace.
Create an IAM role and associate it with the EKS cluster’s OIDC provider.
Annotate the service account with the IAM role.

Step 4: Deploy a Test Pod With the Service Account

Run the following command to deploy a test pod from which we can run AWS CLI commands.

kubectl run aws-cli-pod --image=amazon/aws-cli --restart=Never --rm -it --command -- /bin/bash

Use the AWS STS GetCallerIdentity API to verify the IAM identity.

aws sts get-caller-identity

The output of this command should look something like:

{
  "UserId": "EXAMPLEUSERID",
  "Account": "123456789012",
  "Arn": "arn:aws:sts::123456789012:assumed-role/s3-access-role/s3-access-pod"
}

Step 5: Test Access to AWS Services

From within the pod, test if you can list the contents of your S3 bucket:

aws s3 ls s3://<BUCKET-NAME>

If you see the buckets contents, rejoice! The role’s permissions are looking good.

Conclusion

Using IAM roles with service accounts simplifies secure access management for EKS pods that need to interact with AWS services. Just a couple of eksctl commands and you can streamline creating and managing IAM roles for your EKS pods. You can attach/remove IAM policies to easily implement fine-grained permissions for your Kubernetes workloads. If you’re with me till the end of this post, you’re ready to integrate IAM roles for pods in your own cluster.

I’ll be posting more of these guides, going over a wide range of difficulty, so subscribe below! My newsletter sends out friendly emails when I make new posts.
Want to learn more about how I can assist you with your cloud and DevOps needs? Visit my homepage to get in touch and let’s find out how I can support your next project!

Share the Post:

AWS Secrets and Configuration Provider (ASCP) for Kubernetes

In this post, we’ll explore how to use AWS Secrets and Configuration Provider (ASCP) to seamlessly access secrets stored in Secrets Manager from your EKS pods.
📚 intermediate lvl difficulty 📚

Running Terraform in an Air-Gapped Environment – Part 2

In this post, we’ll focus on running Terraform in an air-gapped AWS environment and using VPCE’s for secure communication with AWS services without relying on internet connectivity. (2/2)
📚 Beginner level difficulty 📚