Difference between revisions of "Configuring a Kubernetes service account to assume an IAM role"

Latest revision as of 14:51, 31 October 2023

https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html

Poliy -> SA-OIDC -> Role

cat >trust-relationship.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "$oidc_provider:aud": "sts.amazonaws.com",
          "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
        }
      }
    }
  ]
}
EOF

aws iam create-role --role-name yourIAMRoleName --assume-role-policy-document file://trust-relationship.json --description "my-trust-relationship-role-description"

kubectl describe serviceaccount
Creating an IAM OIDC provider for your EKS cluster
Terraform Kubernetes resource: kubernetes service account

TOI: EKS cluster discovery using STS AssumeRoles (Without AWS CLI)

See also[edit]

EKS: IRSA, Module: ebs_csi_irsa_role, enable_irsa
OIDC, kubectl oidc-login, AWS IAM OIDC, EKS OIDC, EKS module, aws iam list-open-id-connect-providers | aws iam create-open-id-connect-provider | aws iam get-open-id-connect-provider, OIDC tokens, aws_lb_listener_rule
AWS EKS:AWS::EKS, aws eks [ create-cluster | list-clusters | describe-cluster | update-kubeconfig | list-updates | list-addons | update-cluster-version | update-nodegroup-version | get-token | create-addon ]

@@ Line 1: / Line 1: @@
+* https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
+ Poliy -> SA-OIDC -> Role
@@ Line 16: / Line 18: @@
           "StringEquals": {
             "$oidc_provider:aud": "[[sts.amazonaws.com]]",
-            "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
+            "$oidc_provider:sub": "[[system:serviceaccount]]:$namespace:$service_account"
           }
         }
@@ Line 23: / Line 25: @@
   }
   EOF
+ [[aws iam create-role --role-name]] [[yourIAMRoleName]] [[--assume-role-policy-document]] file://[[trust-relationship.json]] --description "my-trust-relationship-role-description"
+ [[kubectl describe serviceaccount]]
+ [[Creating an IAM OIDC provider for your EKS cluster]]
+ [[Terraform Kubernetes resource: kubernetes service account]]
+* [[TOI: EKS cluster discovery using STS AssumeRoles (Without AWS CLI)]]
 == See also ==
 * {{IRSA}}
 * {{OIDC}}
+* {{aws eks}}
 [[Category:K8s]]

Difference between revisions of "Configuring a Kubernetes service account to assume an IAM role"

Latest revision as of 14:51, 31 October 2023

See also[edit]

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools