AWS, AWS EKS

3 Mins Read

New EKS Pod Identity: Powerful Amazon EKS for Kubernetes Applications

EKS Pod Identity - Overview

An application running inside a pod in an Amazon EKS cluster can use AWS SDK or AWS CLI to interact with AWS services using IAM (Identity and Access Management) permissions, and EKS Pod Identities add the ability to manage credentials for your application, the way EC2 instance profiles provide credentials to EC2 instances. The Association of EKS Pod Identity maps a role configured in IAM to a Service Account in a namespace specified in the Kubernetes cluster.

 

Configure EKS Pod Identity Agent

Assuming you have an Amazon EKS cluster running in your AWS account, if you don’t have a running cluster, you can create one by visiting Getting Started with Amazon EKS.

In my EKS console page, I have a cluster named test-cluster running. Click on that and select Add-ons.

Click on Get more add-ons and select Amazon ESK Pod Identity Agent.

Click Next > Again click Next > click Create.

 

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Configure Role and Service Account

Configure Role in IAM

Let’s create an IAM role to provide permission to access the S3 bucket so that my application running inside a pod in the EKS cluster can access s3.

  1. In the IAM console > click on Role > create Role > select AWS Service  > Use case  > EKS – Pod identity  >click Next  > In permissions, select “AmazonS3ReadOnlyAccess” if you need, you can create a custom policy with restrictive permissions > click Next > Provide name to Role – “eks-pod-identity-role” -> click on Create Role.
  2. Go back to EKS cluster – “test-cluster” > click on “test-cluster” > click on Access Tab > In Access Tab click on Pod Identity Association.

Click on Create Pod Identity Association  > select Role created in the above step “eks-pod-identity-role” > select Kubernetes namespace > select Kubernetes Service Account > click on Create.

 

Configure Pod to Service Account

To run a pod with a service account “aws-s3-access”, we will create a new pod to Run a container with Amazon awscli latest image and try to access the s3 bucket.

After running the command, you will be in the bash shell of container image awscli, and you can run the commands to interact with the AWS S3 service.


In windows cmd:
kubectl run my-shell –rm -i --tty --image amazon/aws-cli:latest --overrides="{ \"spec\": { \"serviceAccount\": \"aws-s3-access\" } }" --command bash
In Linux terminal:
kubectl run my-shell --rm -i --tty --image amazon/aws-cli:latest --overrides='{ "spec": { "serviceAccount": "aws-s3-access" } }' --command bash

Confirm that the Pod can interact with AWS services configured in the Role associated with a service account.

Run the command “aws sts get-caller-identity” in the bash shell and see the Role assumed to call the AWS service API.

Also, after exiting the shell the command, run the command with pod name my-shell, (to verify the pod name, run the command “kubectl get Pod.”)

kubectl describe pod my-shell | findstr “AWS_CONTAINER”

The EKS pod Identity exposes the API on http://169.254.170.23:80, and AWS SDK automatically picks up pod  Identity with the environment variables set on the Pod in the above Image.

 

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than eight awards combined in 11 years. Recently, it was awarded the prestigious AWS Training Partner of the Year 2023 and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.

WRITTEN BY Kamlesh N

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!