Assign IAM Role to Pod without kube2ami

Abdennour Toumi

2 min readSep 26, 2019

Natively, Amazon EKS Adds Support to Assign IAM Permissions to Kubernetes Service Accounts .

Binding this service account with the Pod means the Pod leverages immediately the IAM permissions.

This feature is GA since EKS k8s 1.13 and later.
This feature is adopted & implemented by Terraform since v2.28.0.
This feature is adopted & implemented in Terraform EKS module since v6.0.1.

Announcement

Amazon EKS Adds Support to Assign IAM Permissions to Kubernetes Service Accounts

Previously, when running a Kubernetes cluster on AWS, you could only associate IAM roles to an EC2 node in the cluster…

aws.amazon.com

Walkthrough Example

https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

The example above is about allowing a pod to read-only access to S3.
IAM role assigns a IAM policy(ies) to a service account, + the service account is assigned to pod ==> pod leverages IAM policy

eksctl create iamserviceaccount \ 
       --name my-serviceaccount \ 
       --namespace default \
       --cluster irptest \ 
       --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
       --approve 
[ℹ] 1 task: { 2 sequential sub-tasks: { create addon stack “eksctl-irptest-addon-iamsa-default-my-serviceaccount”, create ServiceAccount:default/my-serviceaccount } }

Advantages of using IAM roles vs AWS Keys

Least privilege — By using the IAM roles for service accounts feature, you no longer need to provide extended permissions to the worker node IAM role so that pods on that node can call AWS APIs. You can scope IAM permissions to a service account, and only pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as kiam or kube2iam.
Credential isolation — A container can only retrieve credentials for the IAM role that is associated with the service account to which it belongs. A container never has access to credentials that are intended for another container that belongs to another pod.
Auditability — Access and event logging is available through CloudTrail to help ensure retrospective auditing.

IAM Roles for Service Accounts

With IAM roles for service accounts on Amazon EKS clusters, you can associate an IAM role with a Kubernetes service…

docs.aws.amazon.com

Bonus:

Udemy course about running EKS on production : https://www.udemy.com/course/aws-eks-kubernetes