Assume a service account role in EKS

0

I have created an EKS cluster using eksctl. I am following these steps to establish connectivity to AWS services like S3, cloudwatch using spring-boot.

  1. Create EKS using eksctl - This has my service account details and OIDC enabled.
  2. List the service accounts to see if they were created fine
  3. Create a deployment using the account name
  4. Create a service

I am seeing a 403 in the logs:

User: arn:aws:sts:account_id/nodegroup_rule_created_by_eks is not authorized to perform: 
cloudformation:DescribeStackResources because no identity-based policy allows 
the cloudformation:DescribeStackResources action (Service: AmazonCloudFormation; Status Code: 403; 
Error Code: AccessDenied; Request ID: xxxx)

Can I get some help here to troubleshoot this issue, please?


What I have figured out after posting this issue is my node which is provisioned by eksctl, has been applied with rules. This is the rule which my app is picking up due to the default CredentialChain.

What I haven't still figured out is how do I enable the apps in the pod to assume a service account role.


Here are relevant snippets from the yaml.

cluster-config.yaml file:

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: backend-stage-iam-role
        namespace: backend-stage
        labels: { aws-usage: "all-backend-allow" }
      attachPolicyARNs:
        - "arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT"

deployment.yaml

spec:
  replicas: 8
  selector:
    matchLabels:
      app: my-app
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: backend-stage-iam-role

When describing the pod, I see that there exists an environment variable :

AWS_ROLE_ARN: arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT

I am still to figure out how can I apply this role to the pod?

asked 2 years ago1442 views
3 Answers
0

I'm not familiar with eksctl. But, you can research IRSA(IAM Role for Service Account) to solve your problem.

profile picture
EXPERT
answered 2 years ago
  • I have done that. I have OIDC on my cluster, created roles and policies, associated that as a service account.

0

You will need to make sure that you are using a supported aws-sdk version for your application to leverage the IRSA feature. You can find out the list of supported aws-sdk versions here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

If you are using the support aws-sdk version and are still facing issues, it could be due to the missing aws-java-sdk-sts dependency in your application. Please review this github issue comment and see if the workaround resolves your issue: https://github.com/aws/aws-sdk-java/issues/2283#issuecomment-854356994

profile pictureAWS
SUPPORT ENGINEER
answered 2 years ago
0

Have you tried annotating the service account?

annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<some_account>:role/<irsa_role>
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions