How can containers access AWS resources?
Diving into IAM Roles for Service Accounts helped me to get high level understanding. But below diagram from above doc will give quick overview.
In my words:
- In AWS IAM, you’ll create roles which are associated with policies, policies will have list of permissions. You’ll annotate the containers with that role via kubernetes service accounts.
- You’ll need to create an IAM OIDC provider for your cluster, which provides tokens to your service.
- The above OIDC provider is trusted by the IAM.
IAM Roles for Service Accounts (IRSA) was launched and then they launched Amazon EKS Pod Identity further enahance experience. Not going into details but go through these docs for more info (or use chatbots to know about these).
How to use IRSA (for AWS EKS),
- Create an IAM OIDC provider for your cluster
- Assign IAM roles to Kubernetes service accounts
- Configure Pods to use a Kubernetes service account
- Use IRSA with the AWS SDK
These steps are clearly mentioend in above doc, but I’m having it here to get overview.
OIDC is setup on top of OAuth2.0, remember the architecture of OAuth2.0 and know about OIDC also.
Create OIDC provider (AWS Console)
Other learnings: We were fixing the AWS S3 connectivity issue at work. AWS SDK for Java BOM helped us having all uniform AWS SDK components, we needed to upgrade the version of SDK. AWS SDK components can get access tokens while accessing AWS resources based on the IAM role set via service account config on the pod.