IAM role with a Kubernetes service account

3 min readJun 14, 2022

Step 1 Create a cluster:

Step 2 create your IAM OIDC Identity Provider for your cluster:

eksctl utils associate-iam-oidc-provider --cluster eksworkshop-eksctl --approve

Step 3 Create a role: IAM

In the navigation panel, choose Roles, Create Role.

In the Select type of trusted entity section, choose Web identity.

In the Choose a web identity provider section:

For the Identity providers, choose the URL for your cluster.
For the Audience, choose sts.amazonaws.com.

Choose Next: Permissions.

In the Attach Policy section, select the IAM policy that has the permissions that you want your service account to use.

For Role Name, enter a name for your role and then choose Create Role.

After the role is created, choose the role in the console to open it for editing.

Choose the Trust relationships tab, and then choose Edit trust relationship.

Add

“”oidc.eks.region-code.amazonaws.com/id/cluster_OIDC_provider_ID:sub”: “system:serviceaccount:K8S_NAMESPACE:K8S_SERVICE_ACCOUNT_NAME””

Attach Policy to the role:

Add “”oidc.eks.region-code.amazonaws.com/id/cluster_OIDC_provider_ID:sub”: “system:serviceaccount:K8S_NAMESPACE:K8S_SERVICE_ACCOUNT_NAME”

Create a service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::635916628368:role/eks-cluster-s3-full-access
  name: s3-access-test

Launch a pod

apiVersion: apps/v1
kind: Deployment
metadata:
   labels:
      app: myd
   name: mydspec:
  replicas: 1
  selector:
    matchLabels:
      app: myd
  strategy: {}
  template:
    metadata:
      labels:
        app: myd
    spec:
      containers:
      - name: httpd
        image: rohitraut3366/web-server:latest
  serviceAccountName: s3-access-test

# Login to pod using and let's install awscli version 2 to test connectivity

Kubectl exec -it pod/pod-name — bashyum install curl, unzip -ycurl “https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o “awscliv2.zip”
unzip -o awscliv2.zip
./aws/install — updateaws s3 ls

LET’S AUTOMATE USING TERRAFORM_MODULE:

GitHub - rohitraut3366/terraform-aws-iam-role-with-k8s-service-account

Contribute to rohitraut3366/terraform-aws-iam-role-with-k8s-service-account development by creating an account on…

github.com

That’s all for this article, follow me for more interesting articles.

Thank you for reading…😇

IAM role with a Kubernetes service account

Step 1 Create a cluster:

Step 2 create your IAM OIDC Identity Provider for your cluster:

GitHub - rohitraut3366/terraform-aws-iam-role-with-k8s-service-account

Contribute to rohitraut3366/terraform-aws-iam-role-with-k8s-service-account development by creating an account on…

Written by Rohit Raut