Skip to main content

Applying IRSA

To use IAM roles for service accounts in your cluster, an IAM OIDC Identity Provider must be created and associated with a cluster. An OIDC has already been provisioned and associated with your EKS cluster:

Go to the Identity Providers in IAM Console:

https://console.aws.amazon.com/iamv2/home#/identity_providers

You will see an OIDC provider has created for your EKS cluster:

IAM OIDC Provider

Another option is to use AWS CLI to verify the IAM OIDC Identity Provider.

~$aws iam list-open-id-connect-providers
{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/7185F12D2B62B8DA97B0ECA713F66C86"
        }
    ]
}
And validate its association with our Amazon EKS cluster.
~$aws eks describe-cluster --name ${EKS_CLUSTER_NAME} --query 'cluster.identity'
{
    "oidc": {
        "issuer": "https://oidc.eks.us-west-2.amazonaws.com/id/7185F12D2B62B8DA97B0ECA713F66C86"
    }
}
An IAM role which provides the required permissions for the carts service to read and write to DynamoDB table has been created for you. You can view the policy like so:
~$aws iam get-policy-version \
  --version-id v1 --policy-arn \
  --query 'PolicyVersion.Document' \
  arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${EKS_CLUSTER_NAME}-carts-dynamo | jq .
{
  "Statement": [
    {
      "Action": "dynamodb:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:dynamodb:us-west-2:1234567890:table/eks-workshop-carts",
        "arn:aws:dynamodb:us-west-2:1234567890:table/eks-workshop-carts/index/*"
      ],
      "Sid": "AllAPIActionsOnCart"
    }
  ],
  "Version": "2012-10-17"
}
The role has also been configured with the appropriate trust relationship which allows the OIDC provider associated with our EKS cluster to assume this role as long as the subject is the ServiceAccount for the carts component. You can view it like so:
~$aws iam get-role \
  --query 'Role.AssumeRolePolicyDocument' \
  --role-name ${EKS_CLUSTER_NAME}-carts-dynamo | jq .
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::1234567890:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/22E1209C76AE64F8F612F8E703E5BBD7"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-2.amazonaws.com/id/22E1209C76AE64F8F612F8E703E5BBD7:sub": "system:serviceaccount:carts:carts"
        }
      }
    }
  ]
}
All thats left is to re-configure the Service Account object associated with the carts application adding the required annotation to it, so IRSA can provide the correct authorization for Pods using the IAM Role above.
Let's validate the SA associated with the carts Deployment.
~$kubectl -n carts describe deployment carts | grep 'Service Account'
  Service Account:  cart
Now lets check the value of CARTS_IAM_ROLE which will provide the ARN of the IAM Role for the Service Account annotation.
~$echo $CARTS_IAM_ROLE
arn:aws:iam::1234567890:role/eks-workshop-carts-dynamo
Once we've verified the IAM Role to be used, we can run Kustomize to apply the change on the Service Account.
~$kubectl apply -k ~/environment/eks-workshop/modules/security/irsa/service-account
~/environment/eks-workshop/modules/security/irsa/service-account/carts-serviceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: carts
  namespace: carts
  annotations:
    eks.amazonaws.com/role-arn: $(CARTS_IAM_ROLE)
Validate if the Service Account was annotated.
~$kubectl describe sa carts -n carts | grep Annotations
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/eks-workshop-carts-dynamo
With the ServiceAccount updated now we just need to recycle the carts Pod so it picks it up:
~$kubectl rollout restart -n carts deployment/carts
deployment.apps/carts restarted
~$kubectl rollout status -n carts deployment/carts