New EKS Pod Identity: Powerful Amazon EKS for Kubernetes Applications

EKS Pod Identity - Overview

An application running inside a pod in an Amazon EKS cluster can use AWS SDK or AWS CLI to interact with AWS services using IAM (Identity and Access Management) permissions, and EKS Pod Identities add the ability to manage credentials for your application, the way EC2 instance profiles provide credentials to EC2 instances. The Association of EKS Pod Identity maps a role configured in IAM to a Service Account in a namespace specified in the Kubernetes cluster.

Configure EKS Pod Identity Agent

Assuming you have an Amazon EKS cluster running in your AWS account, if you don’t have a running cluster, you can create one by visiting Getting Started with Amazon EKS.

In my EKS console page, I have a cluster named test-cluster running. Click on that and select Add-ons.

Click on Get more add-ons and select Amazon ESK Pod Identity Agent.

Click Next > Again click Next > click Create.

Configure Role and Service Account

Configure Role in IAM

Let’s create an IAM role to provide permission to access the S3 bucket so that my application running inside a pod in the EKS cluster can access s3.

1. In the IAM console > click on Role > create Role > select AWS Service  > Use case  > EKS – Pod identity  >click Next  > In permissions, select “AmazonS3ReadOnlyAccess” if you need, you can create a custom policy with restrictive permissions > click Next > Provide name to Role – “eks-pod-identity-role” -> click on Create Role.
2. Go back to EKS cluster – “test-cluster” > click on “test-cluster” > click on Access Tab > In Access Tab click on Pod Identity Association.

Click on Create Pod Identity Association  > select Role created in the above step “eks-pod-identity-role” > select Kubernetes namespace > select Kubernetes Service Account > click on Create.

Configure Pod to Service Account

To run a pod with a service account “aws-s3-access”, we will create a new pod to Run a container with Amazon awscli latest image and try to access the s3 bucket.

After running the command, you will be in the bash shell of container image awscli, and you can run the commands to interact with the AWS S3 service.


In windows cmd:
kubectl run my-shell –rm -i --tty --image amazon/aws-cli:latest --overrides="{ \"spec\": { \"serviceAccount\": \"aws-s3-access\" } }" --command bash
In Linux terminal:
kubectl run my-shell --rm -i --tty --image amazon/aws-cli:latest --overrides='{ "spec": { "serviceAccount": "aws-s3-access" } }' --command bash

Confirm that the Pod can interact with AWS services configured in the Role associated with a service account.

Run the command “aws sts get-caller-identity” in the bash shell and see the Role assumed to call the AWS service API.

Also, after exiting the shell the command, run the command with pod name my-shell, (to verify the pod name, run the command “kubectl get Pod.”)

kubectl describe pod my-shell | findstr “AWS_CONTAINER”

The EKS pod Identity exposes the API on http://169.254.170.23:80, and AWS SDK automatically picks up pod  Identity with the environment variables set on the Pod in the above Image.

Reference Links

https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html

https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html

About CloudThat