Assume a service account role in EKS

0

I have created an EKS cluster using eksctl. I am following these steps to establish connectivity to AWS services like S3, cloudwatch using spring-boot.

  1. Create EKS using eksctl - This has my service account details and OIDC enabled.
  2. List the service accounts to see if they were created fine
  3. Create a deployment using the account name
  4. Create a service

I am seeing a 403 in the logs:

User: arn:aws:sts:account_id/nodegroup_rule_created_by_eks is not authorized to perform: 
cloudformation:DescribeStackResources because no identity-based policy allows 
the cloudformation:DescribeStackResources action (Service: AmazonCloudFormation; Status Code: 403; 
Error Code: AccessDenied; Request ID: xxxx)

Can I get some help here to troubleshoot this issue, please?


What I have figured out after posting this issue is my node which is provisioned by eksctl, has been applied with rules. This is the rule which my app is picking up due to the default CredentialChain.

What I haven't still figured out is how do I enable the apps in the pod to assume a service account role.


Here are relevant snippets from the yaml.

cluster-config.yaml file:

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: backend-stage-iam-role
        namespace: backend-stage
        labels: { aws-usage: "all-backend-allow" }
      attachPolicyARNs:
        - "arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT"

deployment.yaml

spec:
  replicas: 8
  selector:
    matchLabels:
      app: my-app
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: backend-stage-iam-role

When describing the pod, I see that there exists an environment variable :

AWS_ROLE_ARN: arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT

I am still to figure out how can I apply this role to the pod?

질문됨 2년 전1552회 조회
3개 답변
0

I'm not familiar with eksctl. But, you can research IRSA(IAM Role for Service Account) to solve your problem.

profile picture
전문가
답변함 2년 전
  • I have done that. I have OIDC on my cluster, created roles and policies, associated that as a service account.

0

You will need to make sure that you are using a supported aws-sdk version for your application to leverage the IRSA feature. You can find out the list of supported aws-sdk versions here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

If you are using the support aws-sdk version and are still facing issues, it could be due to the missing aws-java-sdk-sts dependency in your application. Please review this github issue comment and see if the workaround resolves your issue: https://github.com/aws/aws-sdk-java/issues/2283#issuecomment-854356994

profile pictureAWS
지원 엔지니어
답변함 2년 전
0

Have you tried annotating the service account?

annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<some_account>:role/<irsa_role>
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠