This pod can be run to try and diagnose permission issues with your pod.
Sometimes SDK output makes it hard to determine what is causing your issues with ServiceAccount IAM permissions. This pod will provide some output to try and determine why you may be experiencing issues.
This will not provide a definitive answer to permission issues but it should give you some insight.
kubectl 1.14 or above
Create a new folder.
In the folder put a kustomization.yaml file with the following contents, updating the namespace:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Update the namespace to the namespace you want to run in
namespace: test-iam
bases:
- github.com/jasonrichardsmith/eks-pod-identity-tester//kustomize
patches:
- patch.yaml
In the same folder put a patch.yaml file with your custom settings as described in the comments:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
# Set serviceAccount if you are not using the default
serviceAccountName: default
containers:
- name: test-iam
env:
# AWS_DEFAULT_REGION is recommended
- name: AWS_DEFAULT_REGION
value: eu-west-1
# AWS_TEST_COMMAND is optional, set to check specific privileges, default is:
# aws sts assume-role --role-arn ${AWS_ROLE_ARN} --role-session-name test-session
- name: AWS_TEST_COMMAND
value: "aws s3api list-buckets"
# If using the web identity webhook, **DO NOT** include any of the below,
# everything will be set by the webhook.
# If you are not using the webhook everything below must be included.
# Set the role to your role arn.
- name: AWS_ROLE_ARN
value: arn:aws:iam::123456789012:role/mycustomrole
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
volumeMounts:
- mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
name: aws-iam-token
readOnly: true
volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 86400
path: token
From within the folder run the pod:
kubectl apply -k .
Wait for the pod to start (with correct namespace):
kubectl get pods -n test-iam test-pod -w
Follow the logs (with correct namespace):
kubectl logs -n test-iam test-pod -f
After getting your output you can delete the pod:
kubectl delete -k .