This guide will show you how to enable and configure IAM roles for service accounts(IRSA) on your AWS EKS clusters and Kubeform so that you can use IRSA feature in Kubeform.
You can associate an IAM role with a Kubernetes service account. This service account can provide AWS permissions to the containers in any pod that uses that service account.
aws
CLIeksctl
CLIAt first, you need to create an AWS EKS cluster. Let’s use below yaml for creating an AWS EKS cluster:
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: eks-demo
region: us-east-2
nodeGroups:
- name: ng-1
instanceType: t3.medium
desiredCapacity: 3
Save it in a file (eg. simple-eks.yaml
) then apply it using eksctl
to create the cluster.
$ eksctl create cluster -f simple-eks.yaml
Your cluster has an OpenID Connect issuer URL associated with it. To use IAM roles for service accounts, an IAM OIDC provider must exist for your cluster.
You can create an OIDC provider for your cluster using eksctl
.
To check and create an IAM OIDC identity provider for your cluster with eksctl
follow below steps:
IAM OIDC
provider for your cluster.$ aws eks describe-cluster --name <cluster_name> --query "cluster.identity.oidc.issuer" --output text
Example Output:
https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE
EXAMPLED539D4633E53DE1B71EXAMPLE
with the value returned from the previous command.$ aws iam list-open-id-connect-providers | grep EXAMPLED539D4633E53DE1B71EXAMPLE
Example output:
"Arn": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
If output is returned from the previous command, then you already have a provider for your cluster. If no output is returned, then you must create an IAM OIDC provider.
my-cluster
with your own value.$ eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve
Now, install Kubeform AWS provider operator in your cluster following the steps here. To get a FREE license, please visit here.
helm install kubeform-provider-aws appscode/kubeform-provider-aws \
--namespace kubeform --create-namespace \
--set-file kubeform-provider.license=/path/to/the/license.txt \
--set crds.s3=true
You must create an IAM policy that specifies the permissions that you would like the containers in your pods to have.
You must also create an IAM role for your Kubernetes service accounts to use before you associate it with a service account.
Create an IAM policy and Role for service account
Follow the official AWS doc for creating IAM Policy and Role
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::account-id:role/iam-role-name
ARN
of the IAM role that you want to use with your service account. Replace service-account-namespace
with the Kubernetes namespace of your service account, service-account-name
with the name of your existing Kubernetes service account. Replace account-id
with your AWS account ID and iam-role-name
with the name of your existing AWS Identity and Access Management (IAM) role.$ kubectl annotate serviceaccount -n service-account-namespace service-account-name \
eks.amazonaws.com/role-arn=arn:aws:iam::account-id:role/iam-role-name
helm upgrade
command, for that use below command:$ helm upgrade <kubeform-aws-operator-helm-chart-release-name> appscode/kubeform-provider-aws --reuse-values --namespace <kubeform-aws-operator-namespace> \
--set-string kubeform-provider.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::account-id:role/iam-role-name"
Now, We don’t need to provide AWS access_key
and secret_key
in the Provider Secret to manage AWS
resources using Kubeform
from EKS
cluster. This is the AWS provider secret which is used for creating any resources in AWS using Kubeform.
apiVersion: v1
kind: Secret
metadata:
name: aws-provider-secret
namespace: demo
stringData:
provider: |
{
"region": "<REGION_NAME>"
}
If you don’t use IRSA then you need to give access_key
and secret_key
of AWS provider, like:
apiVersion: v1
kind: Secret
metadata:
name: aws-provider-secret
namespace: demo
stringData:
provider: |
{
"region": "<REGION_NAME>",
"access_key": "<ACCESS_KEY>",
"secret_key": "<SECRET_KEY>"
}
Now, you can create, update or delete any AWS resources using IRSA in Kubeform.
Please refer to this doc for a hands-on demo how you need to manage AWS resources using Kubeform.