[aws-eks] with IRSA(IAM Roles for Service Accounts) support #3949
Assignees
Labels
@aws-cdk/aws-eks
Related to Amazon Elastic Kubernetes Service
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p1
Comments
pahud
added
feature-request
NGL321
added
needs-cfn
|
Hey @pahud, It looks like Cloudformation doesnt yet support IRSA. Lets keep this issue on the backburner until they add support! 😸 |
|
I think most of this should be possible. The issue is getting the OIDC provider URL. To @NGL321's point, once Cloudformation supports the OIDC provider URL, I think this can happen. aws eks describe-cluster --name irptes --query cluster.identity.oidc.issuer --output text |
|
Our blog post on this can give guidance for how to do this with a lambda. Could be used as a crib. I think it relates to #5388 too. https://bambooengineering.io/configuring-eks-for-iam-oidc-using-cloudformation/ |
7 tasks
mergify bot
pushed a commit
that referenced
this issue
May 18, 2020
## Commit Message feat(eks): IAM roles for service accounts (#6062) Adds support for IAM roles for service account which allows pods the assume IAM roles. NOTE: currently there are no condition set on the IAM Role which results that there are no restrictions on other pods to assume the role. This will be fixed in a subsequent PR. See README for details. Fixes #5388 Fixes #3949 ## End of Commit Message - [x] Enable OpenID Connect Provider - [x] Service Account construct - [ ] Role constraints - [x] Add `cluster.addServiceAccount` convenience method - [x] Integration Tests - [x] Unit Tests - [x] Update README.md ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* <!-- Please read the contribution guidelines and follow the pull-request checklist: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md -->
karupanerura
pushed a commit
to karupanerura/aws-cdk
that referenced
this issue
May 22, 2020
## Commit Message feat(eks): IAM roles for service accounts (aws#6062) Adds support for IAM roles for service account which allows pods the assume IAM roles. NOTE: currently there are no condition set on the IAM Role which results that there are no restrictions on other pods to assume the role. This will be fixed in a subsequent PR. See README for details. Fixes aws#5388 Fixes aws#3949 ## End of Commit Message - [x] Enable OpenID Connect Provider - [x] Service Account construct - [ ] Role constraints - [x] Add `cluster.addServiceAccount` convenience method - [x] Integration Tests - [x] Unit Tests - [x] Update README.md ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* <!-- Please read the contribution guidelines and follow the pull-request checklist: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md -->
iliapolo
changed the title
iliapolo
removed
the
needs-cfn
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🚀 Feature Request
General Information
Description
AWS just announced the IRSA(IAM Roles for Service Accounts) support for Amazon EKS as well as DIY Kubernetes on AWS.
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
It would be great if we can optionally specify the pod role as a property for the aws-eks/lib/k8s-resource to simplify the heavy-lifting.
Proposed Solution
Environment
Other information
The text was updated successfully, but these errors were encountered: