Starting today, you can use Amazon EKS Pod Identity to simplify your applications that access AWS services. This enhancement provides you with a seamless and easy to configure experience that lets you define required IAM permissions for your applications in Amazon Elastic Kubernetes Service (Amazon EKS) clusters so you can connect with AWS services outside the cluster.
Amazon EKS Pod Identity helps you solve growing challenges for managing permissions across many of your EKS clusters.
Simplifying experience with Amazon EKS Pod Identity
In 2019, we introduced IAM roles for service accounts (IRSA). IRSA lets you associate an IAM role with a Kubernetes service account. This helps you to implement the principle of least privilege by giving pods only the permissions they need. This approach prioritizes pods in IAM and helps developers configure applications with fine-grained permissions that enable the least privileged access to AWS services.
Now, with Amazon EKS Pod Identity, it’s even easier to configure and automate granting AWS permissions to Kubernetes identities. As the cluster administrator, you no longer need to switch between Amazon EKS and IAM services to authenticate your applications to all AWS resources.
The overall workflow to start using Amazon EKS Pod Identity can be summarized in a few simple steps:
- Step 1: Create an IAM role with required permissions for your application and specify
pods.eks.amazonaws.comas the service principal in its trust policy. - Step 2: Install Amazon EKS Pod Identity Agent add-on using the Amazon EKS console or AWS Command Line Interface (AWS CLI).
- Step 3: Map the role to a service account directly in the Amazon EKS console, APIs, or AWS CLI.
Once it’s done, any new pods that use that service account will automatically be configured to receive IAM credentials.
Let’s get started
Let me show you how you can get started with EKS Pod Identity. For the demo in this post, I need to configure permission for a simple API running in my Amazon EKS cluster, which will return the list of files in my Amazon Simple Storage Service (Amazon S3) bucket.
First, I need to create an IAM role to provide the required permissions so my applications can run properly. In my case, I need to configure permissions to access my S3 bucket.
Next, on the same IAM role, I need to configure its trust policy and configure the principal to pods.eks.amazonaws.com. The following is the IAM template that I use:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}At this stage, my IAM role is ready, and now we need to configure the Amazon EKS Pod Identity Agent in my cluster. For this article, I’m using my existing EKS cluster. If you want to learn how to do that, visit Getting started with Amazon EKS.
Moving on, I navigate to the Amazon EKS dashboard and then select my EKS cluster.
In my EKS cluster page, I need to select the Add-ons tab and then choose Get more add-ons.
Then, I need to add the Amazon EKS Pod Identity Agent add-on.
On the next page, I can add additional configuration if needed. In this case, I leave the default configuration and choose Next.
Then, I just need to review my add-on configuration and choose Create.
After a few minutes, the Amazon EKS Pod Identity Agent add-on is active for my cluster.
Once I have Amazon EKS Pod Identity in my cluster, I need to associate the IAM role to my Kubernetes pods.
I need to navigate to the Access tab in my EKS cluster. On the Pod Identity associations section, I select Create Pod Identity association to map my IAM role to Kubernetes pods.
Here, I use the IAM role that I created in the beginning. I also need to define my Kubernetes namespace and service account. If they don’t exist yet, I can type in the name of the namespace and service account. If they already exist, I can select them from the dropdown. Then, I choose Create.
Those are all the steps I need to do to configure IAM permissions for my applications running on Amazon EKS with EKS Pod Identity. Now, I can see my IAM role is listed in Pod Identity associations.
When I test my API running on Amazon EKS, it runs as expected and returns the list of files in my S3 bucket.
curl -X https://<API-URL> -H "Accept: application/json"
{
"files": [
"test-file-1.md",
"test-file-2.md"
]
}I found that Amazon EKS Pod Identity simplifies the experience of managing IAM roles for my applications running on Amazon EKS. I can easily reuse IAM roles across multiple EKS clusters without needing to update the role trust policy each time a new cluster is created.
New AWS APIs to configure EKS Pod Identity
You also have the flexibility to configure Amazon EKS Pod Identity for your cluster using AWS CLI. Amazon EKS Pod Identity provides a new set of APIs that you can use.
For example, I can use aws eks create-addon to install the Amazon EKS Pod Identity Agent add-on into my cluster. Here’s the AWS CLI command:
$ aws eks create-addon
--cluster-name <CLUSTER_NAME>
--addon-name eks-pod-identity-agent
--addon-version v1.0.0-eksbuild.1
{
"addon": {
"addonName": "eks-pod-identity-agent",
"clusterName": "<CLUSTER_NAME>",
"status": "CREATING",
"addonVersion": "v1.0.0-eksbuild.1",
"health": {
"issues": []
},
"addonArn": "<ARN>",
"createdAt": 1697734297.597,
"modifiedAt": 1697734297.612,
"tags": {}
}
}Another example of what you can do with AWS APIs is to map the IAM role into your Kubernetes pods.
$ aws eks create-pod-identity-association
--cluster-name <CLUSTER_NAME>
--namespace <NAMESPACE>
--service-account <SERVICE_ACCOUNT_NAME>
--role-arn <IAM_ROLE_ARN>Things to know
Availability – Amazon EKS Pod Identity is available in all AWS Regions supported by Amazon EKS, except the AWS GovCloud (US-East), AWS GovCloud (US-West), China (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD).
Pricing – Amazon EKS Pod Identity is available at no charge.
Supported Amazon EKS cluster – Amazon EKS Pod Identity supports Kubernetes running version 1.24 and above in Amazon EKS. You can see EKS Pod Identity cluster versions for more information.
Supported AWS SDK versions – You need to update your application to use the latest AWS SDK versions. Check out AWS developer tools to find out how to install and update your AWS SDK.
Get started today and visit EKS Pod Identities documentation page to learn more about how to simplify IAM management for your applications.
Happy building!
— Donnie
