AWS, AWS EKS

3 Mins Read

New EKS Pod Identity: Powerful Amazon EKS for Kubernetes Applications

EKS Pod Identity - Overview

An application running inside a pod in an Amazon EKS cluster can use AWS SDK or AWS CLI to interact with AWS services using IAM (Identity and Access Management) permissions, and EKS Pod Identities add the ability to manage credentials for your application, the way EC2 instance profiles provide credentials to EC2 instances. The Association of EKS Pod Identity maps a role configured in IAM to a Service Account in a namespace specified in the Kubernetes cluster.

 

Configure EKS Pod Identity Agent

Assuming you have an Amazon EKS cluster running in your AWS account, if you don’t have a running cluster, you can create one by visiting Getting Started with Amazon EKS.

In my EKS console page, I have a cluster named test-cluster running. Click on that and select Add-ons.

Click on Get more add-ons and select Amazon ESK Pod Identity Agent.

Click Next > Again click Next > click Create.

 

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Configure Role and Service Account

Configure Role in IAM

Let’s create an IAM role to provide permission to access the S3 bucket so that my application running inside a pod in the EKS cluster can access s3.

  1. In the IAM console > click on Role > create Role > select AWS Service  > Use case  > EKS – Pod identity  >click Next  > In permissions, select “AmazonS3ReadOnlyAccess” if you need, you can create a custom policy with restrictive permissions > click Next > Provide name to Role – “eks-pod-identity-role” -> click on Create Role.
  2. Go back to EKS cluster – “test-cluster” > click on “test-cluster” > click on Access Tab > In Access Tab click on Pod Identity Association.

Click on Create Pod Identity Association  > select Role created in the above step “eks-pod-identity-role” > select Kubernetes namespace > select Kubernetes Service Account > click on Create.

 

Configure Pod to Service Account

To run a pod with a service account “aws-s3-access”, we will create a new pod to Run a container with Amazon awscli latest image and try to access the s3 bucket.

After running the command, you will be in the bash shell of container image awscli, and you can run the commands to interact with the AWS S3 service.


In windows cmd:
kubectl run my-shell –rm -i --tty --image amazon/aws-cli:latest --overrides="{ \"spec\": { \"serviceAccount\": \"aws-s3-access\" } }" --command bash
In Linux terminal:
kubectl run my-shell --rm -i --tty --image amazon/aws-cli:latest --overrides='{ "spec": { "serviceAccount": "aws-s3-access" } }' --command bash

Confirm that the Pod can interact with AWS services configured in the Role associated with a service account.

Run the command “aws sts get-caller-identity” in the bash shell and see the Role assumed to call the AWS service API.

Also, after exiting the shell the command, run the command with pod name my-shell, (to verify the pod name, run the command “kubectl get Pod.”)

kubectl describe pod my-shell | findstr “AWS_CONTAINER”

The EKS pod Identity exposes the API on http://169.254.170.23:80, and AWS SDK automatically picks up pod  Identity with the environment variables set on the Pod in the above Image.

 

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than eight awards combined in 11 years. Recently, it was awarded the prestigious AWS Training Partner of the Year 2023 and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.

WRITTEN BY Kamlesh N

Share

PREV

NEXT

Comments

    Click to Comment

Related Resources

Upcoming Webinar

Demystifying Generative BI: A Deep Dive with Amazon QuickSight

By divya

Apr 25, 2024

Power Platforms

How to Employ Pipelines in Power Platform to Elevate

By Daliya V K

Apr 23, 2024

Case Study

Advanced HRMS Chatbot using AWS GenAI for Enhanced User

By gopi

Apr 22, 2024

Case Study

Automated Email Replies for a FinTech Firm Enhancing Customer

By gopi

Apr 22, 2024

Case Study

Scaler Achieves Near Real-Time Audio Transcription, Driving Productivity with

By gopi

Apr 22, 2024

Azure

A Comprehensive Study Plan for AZ-104 Certification the Key

By CloudThat

Apr 22, 2024

Azure

How to Prepare for the Exam AZ-900 Microsoft Azure

By CloudThat

Apr 22, 2024

Big Data, Cloud Computing

How to Secure Microsoft Fabric Data Warehouse?

By Pankaj Choudhary

Apr 19, 2024

Case Study

Real-time Threat Prevention and Maximizing Protection by Leveraging AWS

By gopi

Apr 16, 2024

Case Study

Effective Threat Protection with AWS WAF Configuration Resulting in

By gopi

Apr 16, 2024

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!