Using AWS IAM Role with Kubernetes Service Account

Kubernetes

Kubernetes.

Introduction

In my previous blog post AWS With Federated Identity Using OpenID Connector, I explained how I used OpenID with AWS IAM Role.

In this new blog post, I describe how I linked the previously created IAM Role with Kubernetes service account.

What is a Kubernetes Service Account?

A Kubernetes Service Account is an entity in a Kubernetes cluster which provides a distinct identity.

To be able to interact with the cloud environment, you need to link the Kubernetes service account to some cloud role resource, e.g. AWS IAM Role.

Use Case

I needed to do a Kubernetes rolling update to provide a zero downtime update for the Kubernetes pods to use a new Docker image. The use case is this. We have a CI/CD pipeline (Github Actions) that does the following steps with each commit:

Run tests and build the app.
Create a new Docker image.
Push the Docker image to AWS ECR.
Do a Kubernetes rolling update for the new image.

EKS allows kubernetes API calls for the IAM User that created the EKS resource. For another IAM User or Role, use a Kubernetes service account and link it with an IAM Role.

Create the service account:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: github-service-account
  namespace: demo1

Then create a Kubernetes role:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: github-role
  namespace: demo1
rules:
  - apiGroups:
...

And a role binding between the service account and the role:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: github-rolebinding
  namespace: demo1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: github-role 
subjects:
- namespace: demo1 
  kind: ServiceAccount
  name: github-service-account  

Apply these entities to your kubernetes cluster.

Finally you need to link the service account with the AWS IAM role that your CI/CD uses, example:

eksctl create iamidentitymapping --cluster $EKS_CLUSTER_NAME --arn $AWS_GITHUB_IAM_ROLE_ARN --username github-service-account --group system:masters

To make things easier for this demo, I used group system:masters - you might want to create a more restricted group for deployments in a real production environment.

Now you are able to do the rolling update in your CI/CD pipeline:

kubectl rollout restart deployment deployment-demo1 -n demo1

Conclusions

In this blog post I described how you can link a Kubernetes service account with an AWS IAM Role, so that you are able to use the service account to do e.g. rolling updates in your Kubernetes deployments.

The writer is working at a major international IT corporation building cloud infrastructures and implementing applications on top of those infrastructures.

Kari Marttila

_{Kari Marttila’s Home Page in LinkedIn: https://www.linkedin.com/in/karimarttila/}