Assume a service account role in EKS
I have created an EKS cluster using eksctl. I am following these steps to establish connectivity to AWS services like S3, cloudwatch using spring-boot.
- Create EKS using
eksctl- This has my service account details and OIDC enabled. - List the service accounts to see if they were created fine
- Create a deployment using the account name
- Create a service
I am seeing a 403 in the logs:
User: arn:aws:sts:account_id/nodegroup_rule_created_by_eks is not authorized to perform:
cloudformation:DescribeStackResources because no identity-based policy allows
the cloudformation:DescribeStackResources action (Service: AmazonCloudFormation; Status Code: 403;
Error Code: AccessDenied; Request ID: xxxx)Can I get some help here to troubleshoot this issue, please?
What I have figured out after posting this issue is my node which is provisioned by eksctl, has been applied with rules. This is the rule which my app is picking up due to the default CredentialChain.
What I haven't still figured out is how do I enable the apps in the pod to assume a service account role.
Here are relevant snippets from the yaml.
cluster-config.yaml file:
iam:
withOIDC: true
serviceAccounts:
- metadata:
name: backend-stage-iam-role
namespace: backend-stage
labels: { aws-usage: "all-backend-allow" }
attachPolicyARNs:
- "arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT"deployment.yaml
spec:
replicas: 8
selector:
matchLabels:
app: my-app
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: backend-stage-iam-roleWhen describing the pod, I see that there exists an environment variable :
AWS_ROLE_ARN: arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT
I am still to figure out how can I apply this role to the pod?
I'm not familiar with eksctl. But, you can research IRSA(IAM Role for Service Account) to solve your problem.
You will need to make sure that you are using a supported aws-sdk version for your application to leverage the IRSA feature. You can find out the list of supported aws-sdk versions here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
If you are using the support aws-sdk version and are still facing issues, it could be due to the missing aws-java-sdk-sts dependency in your application. Please review this github issue comment and see if the workaround resolves your issue: https://github.com/aws/aws-sdk-java/issues/2283#issuecomment-854356994
Have you tried annotating the service account?
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<some_account>:role/<irsa_role>Relevant questions
[EKS] Use Multus with existing cluster created by eksctl
asked 3 months agoContainer Insights on Amazon EKS Fluent Bit AccessDeniedException
asked 5 months agoHow do I create a role for AWS Batch using the CLI
asked 22 days agoAssume a service account role in EKS
asked 5 months agoEKS Anywhere\Connector - Register New Cluster Button Does Not React
asked 3 months agoEKS NodeGroup IAM Role on Config File (yaml)
Accepted Answerasked a month agoI am trying to deploy the EKS cluster using s3 template but getting errors, please help me
asked 4 months agoEKS Cluster Create Failed
Accepted Answerasked 4 months agoAccess to Secrets Manager from pod in EKS
asked 3 months agoUnable to create EKS Cluster
asked a month ago
I have done that. I have
OIDCon my cluster, created roles and policies, associated that as a service account.