Voiced by Amazon Polly |
EKS Pod Identity - Overview
An application running inside a pod in an Amazon EKS cluster can use AWS SDK or AWS CLI to interact with AWS services using IAM (Identity and Access Management) permissions, and EKS Pod Identities add the ability to manage credentials for your application, the way EC2 instance profiles provide credentials to EC2 instances. The Association of EKS Pod Identity maps a role configured in IAM to a Service Account in a namespace specified in the Kubernetes cluster.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Configure EKS Pod Identity Agent
Assuming you have an Amazon EKS cluster running in your AWS account, if you don’t have a running cluster, you can create one by visiting Getting Started with Amazon EKS.
In my EKS console page, I have a cluster named test-cluster running. Click on that and select Add-ons.
Click on Get more add-ons and select Amazon ESK Pod Identity Agent.
Click Next > Again click Next > click Create.
Configure Role and Service Account
Configure Role in IAM
Let’s create an IAM role to provide permission to access the S3 bucket so that my application running inside a pod in the EKS cluster can access s3.
- In the IAM console > click on Role > create Role > select AWS Service > Use case > EKS – Pod identity >click Next > In permissions, select “AmazonS3ReadOnlyAccess” if you need, you can create a custom policy with restrictive permissions > click Next > Provide name to Role – “eks-pod-identity-role” -> click on Create Role.
- Go back to EKS cluster – “test-cluster” > click on “test-cluster” > click on Access Tab > In Access Tab click on Pod Identity Association.
Click on Create Pod Identity Association > select Role created in the above step “eks-pod-identity-role” > select Kubernetes namespace > select Kubernetes Service Account > click on Create.
Configure Pod to Service Account
To run a pod with a service account “aws-s3-access”, we will create a new pod to Run a container with Amazon awscli latest image and try to access the s3 bucket.
After running the command, you will be in the bash shell of container image awscli, and you can run the commands to interact with the AWS S3 service.
In windows cmd:
kubectl run my-shell –rm -i --tty --image amazon/aws-cli:latest --overrides="{ \"spec\": { \"serviceAccount\": \"aws-s3-access\" } }" --command bash
In Linux terminal:
kubectl run my-shell --rm -i --tty --image amazon/aws-cli:latest --overrides='{ "spec": { "serviceAccount": "aws-s3-access" } }' --command bash
Confirm that the Pod can interact with AWS services configured in the Role associated with a service account.
Run the command “aws sts get-caller-identity” in the bash shell and see the Role assumed to call the AWS service API.
Also, after exiting the shell the command, run the command with pod name my-shell, (to verify the pod name, run the command “kubectl get Pod.”)
kubectl describe pod my-shell | findstr “AWS_CONTAINER”
The EKS pod Identity exposes the API on http://169.254.170.23:80, and AWS SDK automatically picks up pod Identity with the environment variables set on the Pod in the above Image.
Reference Links
https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.

WRITTEN BY Kamlesh N
Comments