Using AWS IAM Role with Kubernetes Service Account
In my previous blog post AWS With Federated Identity Using OpenID Connector, I explained how I used OpenID with AWS IAM Role.
In this new blog post, I describe how I linked the previously created IAM Role with Kubernetes service account.
What is a Kubernetes Service Account?
A Kubernetes Service Account is an entity in a Kubernetes cluster which provides a distinct identity.
To be able to interact with the cloud environment, you need to link the Kubernetes service account to some cloud role resource, e.g. AWS IAM Role.
I needed to do a Kubernetes rolling update to provide a zero downtime update for the Kubernetes pods to use a new Docker image. The use case is this. We have a CI/CD pipeline (Github Actions) that does the following steps with each commit:
- Run tests and build the app.
- Create a new Docker image.
- Push the Docker image to AWS ECR.
- Do a Kubernetes rolling update for the new image.
EKS allows kubernetes API calls for the IAM User that created the EKS resource. For another IAM User or Role, use a Kubernetes service account and link it with an IAM Role.
Create the service account:
--- apiVersion: v1 kind: ServiceAccount metadata: name: github-service-account namespace: demo1
Then create a Kubernetes role:
--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: github-role namespace: demo1 rules: - apiGroups: ...
And a role binding between the service account and the role:
--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: github-rolebinding namespace: demo1 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: github-role subjects: - namespace: demo1 kind: ServiceAccount name: github-service-account
Apply these entities to your kubernetes cluster.
Finally you need to link the service account with the AWS IAM role that your CI/CD uses, example:
eksctl create iamidentitymapping --cluster $EKS_CLUSTER_NAME --arn $AWS_GITHUB_IAM_ROLE_ARN --username github-service-account --group system:masters
To make things easier for this demo, I used group
system:masters - you might want to create a more restricted group for deployments in a real production environment.
Now you are able to do the rolling update in your CI/CD pipeline:
kubectl rollout restart deployment deployment-demo1 -n demo1
In this blog post I described how you can link a Kubernetes service account with an AWS IAM Role, so that you are able to use the service account to do e.g. rolling updates in your Kubernetes deployments.
The writer is working at a major international IT corporation building cloud infrastructures and implementing applications on top of those infrastructures.
- Kari Marttila’s Home Page in LinkedIn: https://www.linkedin.com/in/karimarttila/