How to test K8S SA’s permissions when OIDC IAM Role was provided in AWS EKS

With the following ‘human readable’ title, “How to test ( or an example to make use of ) the Kubernetes ServiceAccount’s functionality if an AWS IAM Role, which can be assumed by trusted resources using OpenID Connect Federated Users, was provided”

According to the docs the OpenId Connect Provider is the preferred method to interact with other AWS Services outside the EKS Cluster. We assume that you have an EKS Cluster with OpenId Connect Provider already up and running.

To be able to interact with services outside the cluster we need to check the followings steps from the sample repo ( which can be opened before further reading ) and which contains two main files:

main.tf

a simple terraform config file with:

  1. get EKS OIDC arn
  2. define the trust relation between the role and service account
  3. create a role for our satest service account
  4. create a permission policy
  5. bind the policy to role
  6. get the role_arn and bind it to service account config
sample.tf

a simple kubernetes manifest for:

  1. k8s deploy / alpine linux image with aws-cli
  2. k8s service account / replace_role_arn with above role_arn value

If everything goes as expected you should be able to get a shell session with the pod and perform

aws s3api list-buckets

*keep in mind the “least privilege principle” or the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function