Configure Pods to use a Kubernetes service account
If a Pod needs to access AWS services, then you must configure it to use a Kubernetes service account. The service account must be associated to an AWS Identity and Access Management (IAM) role that has permissions to access the AWS services.
Prerequisites
-
An existing cluster. If you don't have one, you can create one using one of the Getting started with Amazon EKS guides.
-
An existing IAM OpenID Connect (OIDC) provider for your cluster. To learn if you already have one or how to create one, see Create an IAM OIDC provider for your cluster.
-
An existing Kubernetes service account that's associated with an IAM role. The service account must be annotated with the Amazon Resource Name (ARN) of the IAM role. The role must have an associated IAM policy that contains the permissions that you want your Pods to have to use AWS services. For more information about how to create the service account and role, and configure them, see Configure a Kubernetes service account to assume an IAM role.
-
Version
2.12.3or later or version1.27.160or later of the AWS Command Line Interface (AWS CLI) installed and configured on your device or AWS CloudShell. To check your current version, useaws --version | cut -d / -f2 | cut -d ' ' -f1yum,apt-get, or Homebrew for macOS are often several versions behind the latest version of the AWS CLI. To install the latest version, see Installing, updating, and uninstalling the AWS CLI and Quick configuration with aws configure in the AWS Command Line Interface User Guide. The AWS CLI version that is installed in AWS CloudShell might also be several versions behind the latest version. To update it, see Installing AWS CLI to your home directory in the AWS CloudShell User Guide. -
The
kubectlcommand line tool is installed on your device or AWS CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is1.28, you can usekubectlversion1.27,1.28, or1.29with it. To install or upgradekubectl, see Installing or updating kubectl. -
An existing
kubectlconfigfile that contains your cluster configuration. To create akubectlconfigfile, see Creating or updating a kubeconfig file for an Amazon EKS cluster.
To configure a Pod to use a service account
-
Use the following command to create a deployment manifest that you can deploy a Pod to confirm configuration with. Replace the
example valuescat >my-deployment.yaml<<EOF apiVersion: apps/v1 kind: Deployment metadata: name:my-appspec: selector: matchLabels: app:my-apptemplate: metadata: labels: app:my-appspec: serviceAccountName:my-service-accountcontainers: - name:my-appimage:public.ecr.aws/nginx/nginx:X.XXEOF -
Deploy the manifest to your cluster.
kubectl apply -fmy-deployment.yaml -
Confirm that the required environment variables exist for your Pod.
-
View the Pods that were deployed with the deployment in the previous step.
kubectl get pods | grepmy-appAn example output is as follows.
my-app-6f4dfff6cb-76cv91/1 Running 0 3m28s -
View the ARN of the IAM role that the Pod is using.
kubectl describe podmy-app-6f4dfff6cb-76cv9| grep AWS_ROLE_ARN:An example output is as follows.
AWS_ROLE_ARN: arn:aws:iam::
111122223333:role/my-roleThe role ARN must match the role ARN that you annotated the existing service account with. For more about annotating the service account, see Configure a Kubernetes service account to assume an IAM role.
-
Confirm that the Pod has a web identity token file mount.
kubectl describe podmy-app-6f4dfff6cb-76cv9| grep AWS_WEB_IDENTITY_TOKEN_FILE:An example output is as follows.
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/tokenThe
kubeletrequests and stores the token on behalf of the Pod. By default, thekubeletrefreshes the token if the token is older than 80 percent of its total time to live or older than 24 hours. You can modify the expiration duration for any account other than the default service account by using the settings in your Pod spec. For more information, see Service Account Token Volume Projectionin the Kubernetes documentation. The Amazon EKS Pod Identity Webhook
on the cluster watches for Pods that use a service account with the following annotation: eks.amazonaws.com/role-arn: arn:aws:iam::
111122223333:role/my-roleThe webhook applies the previous environment variables to those Pods. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure Pods to have these environment variables. The supported versions of the AWS SDK look for these environment variables first in the credential chain provider. The role credentials are used for Pods that meet this criteria.
-
-
Confirm that your Pods can interact with the AWS services using the permissions that you assigned in the IAM policy attached to your role.
Note
When a Pod uses AWS credentials from an IAM role that's associated with a service account, the AWS CLI or other SDKs in the containers for that Pod use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the Amazon EKS node IAM role, the Pod still has access to these credentials. For more information, see Restrict access to the instance profile assigned to the worker node
. If your Pods can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured.
-
Confirm that your Pods use an AWS SDK version that supports assuming an IAM role through an OpenID Connect web identity token file. For more information, see Using a supported AWS SDK.
-
Confirm that the deployment is using the service account.
kubectl describe deploymentmy-app| grep "Service Account"An example output is as follows.
Service Account:
my-service-account -
If your Pods still can't access services, review the steps that are described in Configure a Kubernetes service account to assume an IAM role to confirm that your role and service account are configured properly.
-
