Skip to content

upbound/configuration-aws-eks-irsa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits

.github

.github

 
 

apis

apis

 
 

build @ 7233e36

build @ 7233e36

 
 

examples

examples

 
 

images

images

 
 

test

test

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

.yamllint

.yamllint

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

crossplane.yaml

crossplane.yaml

 
 

Repository files navigation

AWS EKS IRSA Configuration

IRSA (IAM Roles for Service Accounts) is AWS EKS's method for allowing EKS pod applications to access the AWS API through specific AWS IAM roles. This approach is more advanced than the previous method where applications in pods used the IAM roles of the EKS nodes. Configuring AWS API access per service account aligns with the principle of least privilege, resulting in a more secure architecture.

IRSA integrates components from AWS IAM, OpenID Connect, Kubernetes Service Accounts, and Pods. It involves several interconnected parts from these concepts. Here's a simplified overview of how these elements work together to enable applications in a pod to utilize an IAM role.

Configuration

This configuration is for implementing AWS IRSA, which involves creating the IAM Role, Policy, Attachment, and configuring the trust relationship between Kubernetes Service Account and AWS EKS OIDC Provider.

The How

irsa-01

  • A Pod where the application operates.
  • A Service Account, marked with an annotation to indicate its use of an IAM Role.

irsa-02

  • An IAM Role with a trust relationship directed towards:
    • The Kubernetes Service Account authorized to assume that role.
    • The AWS OIDC Provider for the EKS Cluster.

Service Accounts and Service Accounts Tokens

Creating a Service Account in EKS also generates a Service Account Token.

irsa-03

  • The Service Account Token is saved as a Kubernetes Secret in the same namespace.
  • The token is a JSON Web Token (JWT).

Attaching the Service Account to the Pod

When a Pod is configured to use a Service Account in EKS, several actions are automatically performed:

irsa-04

  • The Service Account's JWT, which is stored in a secret, gets mounted in the Pod.
  • The following environment variables are injected into the Pod:
AWS_ROLE_ARN=<IAM ROLE ARN>
AWS_WEB_IDENTITY_TOKEN_FILE=<PATH TO THE SERVICE ACCOUNT TOKEN>

The assume role request

The AWS SDK, operating within the application inside the Pod, is programmed to reference these environment variables for authentication. It sends a request to AWS STS to assume the IAM Role, including the Service Account JWT in that request.

irsa-05

The request will include:

  • The ARN of the IAM Role
  • The JWT of the Service Account

AWS STS will utilize the configuration in the IAM Role's Trust Relationship for validation.

irsa-06

  • Verify that the Service Account JWT is valid and issued by the trusted OIDC Provider of the EKS Cluster.
  • Confirm that the Service Account is authorized to assume the IAM Role.

On Success

AWS STS will provide the application in the Pod with security credentials for the IAM Role, valid for 15 minutes.

irsa-07

About

AWS EKS IRSA Configuration

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

17 watching

Forks

1 fork
Report repository

Releases 8

v0.7.0 Latest
Feb 16, 2024
+ 7 releases

Packages

No packages published

Contributors 3

Languages