With the following ‘human readable’ title, “How to test ( or an example to make use of ) the Kubernetes ServiceAccount’s functionality if an AWS IAM Role, which can be assumed by trusted resources using OpenID Connect Federated Users, was provided”
According to the docs the OpenId Connect Provider is the preferred method to interact with other AWS Services outside the EKS Cluster. We assume that you have an EKS Cluster with OpenId Connect Provider already up and running.
To be able to interact with services outside the cluster we need to check the followings steps from the sample repo ( which can be opened before further reading ) and which contains two main files:
main.tfa simple terraform config file with:
- get EKS OIDC arn
- define the trust relation between the role and service account
- create a role for our
satestservice account - create a permission policy
- bind the policy to role
- get the
role_arnand bind it to service account config
sample.tfa simple kubernetes manifest for:
- k8s deploy / alpine linux image with aws-cli
- k8s service account /
replace_role_arnwith aboverole_arnvalue
If everything goes as expected you should be able to get a shell session with the pod and perform
aws s3api list-buckets
*keep in mind the “least privilege principle” or the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function