Step 1: Configure the Amazon EKS cluster and setup IAM permissions
Configure the Amazon EKS cluster and create the IAM resources that are required to allow an Amazon EKS service account to connect to your Amazon Keyspaces table
-
Create an Open ID Connect (OIDC) provider for the Amazon EKS cluster. This is needed to use IAM roles for service accounts. For more information about OIDC providers and how to create them, see Creating an IAM OIDC provider for your cluster in the Amazon EKS User Guide.
Create an IAM OIDC identity provider for your cluster with the following command. This example assumes that your cluster name is
my-eks-cluster. If you have a cluster with a different name, remember to update the name in all future commands.eksctl utils associate-iam-oidc-provider --clustermy-eks-cluster--approveConfirm that the OIDC identity provider has been registered with IAM with the following command.
aws iam list-open-id-connect-providers --regionaws-regionThe output should look similar to this. Take note of the OIDC's Amazon Resource Name (ARN), you need it in the next step when you create a trust policy for the service account.
{ "OpenIDConnectProviderList": [ .. { "Arn": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.aws-region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" } ] }
-
Create a service account for the Amazon EKS cluster. Service accounts provide an identity for processes that run in a Pod. A Pod is the smallest and simplest Kubernetes object that you can use to deploy a containerized application. Next, create an IAM role that the service account can assume to obtain permissions to resources. You can access any AWS service from a Pod that has been configured to use a service account that can assume an IAM role with access permissions to that service.
Create a new namespace for the service account. A namespace helps to isolate cluster resources created for this tutorial. You can create a new namespace using the following command.
kubectl create namespacemy-eks-namespaceTo use a custom namespace, you have to associate it with a Fargate profile. The following code is an example of this.
eksctl create fargateprofile \ --clustermy-eks-cluster\ --namemy-fargate-profile\ --namespacemy-eks-namespace\ --labels*=*Create a service account with the name
my-eks-serviceaccountin the namespacemy-eks-namespacefor your Amazon EKS cluster by using the following command.cat >my-serviceaccount.yaml <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: my-eks-serviceaccount namespace: my-eks-namespace EOF kubectl apply -f my-serviceaccount.yamlRun the following command to create a trust policy file that instructs the IAM role to trust your service account. This trust relationship is required before a principal can assume a role. You need to make the following edits to the file:
For the
Principal, enter the ARN that IAM returned to thelist-open-id-connect-providerscommand. The ARN contains your account number and Region.In the
conditionstatement, replace the AWS Region and the OIDC id.Confirm that the service account name and namespace are correct.
You need to attach the trust policy file in the next step when you create the IAM role.
cat >trust-relationship.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.aws-region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.aws-region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:my-eks-namespace:my-eks-serviceaccount", "oidc.eks.aws-region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" } } } ] } EOFOptional: You can also add multiple entries in the
StringEqualsorStringLikeconditions to allow multiple service accounts or namespaces to assume the role. To allow your service account to assume an IAM role in a different AWS account, see Cross-account IAM permissions in the Amazon EKS User Guide.
-
Create an IAM role with the name
my-iam-rolefor the Amazon EKS service account to assume. Attach the trust policy file created in the last step to the role. The trust policy specifies the service account and OIDC provider that the IAM role can trust.aws iam create-role --role-namemy-iam-role--assume-role-policy-document file://trust-relationship.json --description "EKS service account role" -
Assign the IAM role permissions to Amazon Keyspaces by attaching an access policy.
Attach an access policy to define the actions the IAM role can perform on specific Amazon Keyspaces resources. For this tutorial we use the AWS managed policy
AmazonKeyspacesFullAccess, because our application is going to write data to your Amazon Keyspaces table. As a best practise however, it's recommended to create custom access policies that implement the least privileges principle. For more information, see How Amazon Keyspaces works with IAM.aws iam attach-role-policy --role-namemy-iam-role--policy-arn=arn:aws:iam::aws:policy/AmazonKeyspacesFullAccessConfirm that the policy was successfully attached to the IAM role with the following statement.
aws iam list-attached-role-policies --role-namemy-iam-roleThe output should look like this.
{ "AttachedPolicies": [ { "PolicyName": "AmazonKeyspacesFullAccess", "PolicyArn": "arn:aws:iam::aws:policy/AmazonKeyspacesFullAccess" } ] }Annotate the service account with the Amazon Resource Name (ARN) of the IAM role it can assume. Make sure to update the role ARN with your account ID.
kubectl annotate serviceaccount -nmy-eks-namespacemy-eks-serviceaccounteks.amazonaws.com/role-arn=arn:aws:iam::111122223333:role/my-iam-role
Confirm that the IAM role and the service account are correctly configured.
Confirm that the IAM role's trust policy is correctly configured with the following statement.
aws iam get-role --role-namemy-iam-role--query Role.AssumeRolePolicyDocumentThe output should look similar to this.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.aws-region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.aws-region/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com", "oidc.eks.aws-region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:my-eks-namespace:my-eks-serviceaccount" } } } ] }Confirm that the Amazon EKS service account is annotated with the IAM role.
kubectl describe serviceaccountmy-eks-serviceaccount-nmy-eks-namespaceThe output should look similar to this.
Name: my-eks-serviceaccount Namespace:my-eks-namespace Labels: <none> Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-iam-role Image pull secrets: <none> Mountable secrets: <none> Tokens: <none> [...]
After you created the Amazon EKS service account, the IAM role, and configured the required relationships and permissions, proceed to Step 2: Configure the application.
