DEV Community: MD Nur Ahmed The latest articles on DEV Community by MD Nur Ahmed (@mdnurahmed). https://dev.to/mdnurahmed https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F535517%2Fed58f028-de19-4133-83bb-e42bb0d7f109.jpeg DEV Community: MD Nur Ahmed https://dev.to/mdnurahmed en Different Ways to Manage AWS IAM to Connect to an EKS Cluster MD Nur Ahmed Fri, 12 Dec 2025 11:45:13 +0000 https://dev.to/mdnurahmed/different-ways-to-manage-aws-iam-to-connect-to-an-eks-cluster-chp https://dev.to/mdnurahmed/different-ways-to-manage-aws-iam-to-connect-to-an-eks-cluster-chp <p>Managing access to Amazon EKS clusters can be confusing. Should you use IAM roles? What about service accounts? How do the new EKS Access Entries differ from the old aws-auth ConfigMap? If you've ever been overwhelmed by these questions, you're not alone.</p> <p>Think of EKS access management as the security checkpoint at an airport. IAM is your passport (authentication), and EKS access policies are your boarding pass (authorization). You need both to get on the plane, and different passengers need different levels of access.</p> <p>In this comprehensive guide, I'll walk you through everything you need to know about IAM for EKS, complete with <strong>four hands-on scenarios</strong> and working Terraform code you can deploy today.</p> <h2> What You'll Learn </h2> <ul> <li>✅ How IAM authentication and authorization works with EKS</li> <li>✅ The <strong>OLD WAY</strong> (aws-auth ConfigMap) vs <strong>NEW WAY</strong> (Access Entries)</li> <li>✅ Setting up developer access with read-only permissions</li> <li>✅ Configuring CI/CD pipelines (GitHub Actions, GitLab, Jenkins)</li> <li>✅ Implementing IRSA (IAM Roles for Service Accounts)</li> <li>✅ Production-ready best practices</li> </ul> <p><strong>GitHub Repository</strong>: <a href="https://github.com/mdnurahmed/aws-eks-iam-hands-on" rel="noopener noreferrer">eks-iam-hands-on</a></p> <p>All code examples in this post are fully tested and ready to deploy! 🚀</p> <h2> Table of Contents </h2> <ol> <li>Understanding IAM with EKS</li> <li>The Old Way vs The New Way</li> <li>Scenario 1: Basic EKS Cluster Setup</li> <li>Scenario 2: Developer Read-Only Access</li> <li>Scenario 3: CI/CD Pipeline Access</li> <li>Scenario 4: IRSA for Pods</li> <li>Best Practices</li> <li>Common Pitfalls</li> <li>Conclusion</li> </ol> <h2> Understanding IAM with EKS </h2> <p>Before diving into the code, let's understand how IAM works with EKS.</p> <h3> Two Layers of Access Control </h3> <p>EKS uses <strong>two separate layers</strong> of access control:</p> <h4> 1. AWS IAM (Authentication) </h4> <ul> <li><strong>"Who are you?"</strong></li> <li>Verifies your AWS identity</li> <li>Happens at the AWS API level</li> </ul> <h4> 2. Kubernetes RBAC (Authorization) </h4> <ul> <li><strong>"What can you do?"</strong></li> <li>Determines your permissions inside the cluster</li> <li>Happens at the Kubernetes API level </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────┐ │ User/Role/Service Account │ │ (Your AWS Identity) │ └────────────────┬─────────────────────────────────┘ │ ▼ ┌──────────────────────────────────────────────────┐ │ AWS IAM Layer │ │ ✓ Authenticated: You are who you say you are │ └────────────────┬─────────────────────────────────┘ │ ▼ ┌──────────────────────────────────────────────────┐ │ EKS Access Entry / aws-auth ConfigMap │ │ ✓ Mapped: Your IAM identity → K8s user/group │ └────────────────┬─────────────────────────────────┘ │ ▼ ┌──────────────────────────────────────────────────┐ │ Kubernetes RBAC │ │ ✓ Authorized: You can perform specific actions │ └──────────────────────────────────────────────────┘ </code></pre> </div> <h3> OIDC: The Bridge Between AWS and Kubernetes </h3> <p>For pods to access AWS services, EKS uses an OIDC (OpenID Connect) provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pod → Kubernetes Service Account → OIDC Token → IAM Role → AWS Service </code></pre> </div> <p>This eliminates the need for long-lived AWS credentials in your pods!</p> <h2> The Old Way vs The New Way </h2> <p>AWS recently introduced <strong>EKS Access Entries</strong> as a modern alternative to the <code>aws-auth</code> ConfigMap. Let's compare:</p> <h3> ❌ OLD WAY: aws-auth ConfigMap </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-auth</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">data</span><span class="pi">:</span> <span class="na">mapRoles</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- rolearn: arn:aws:iam::123456789012:role/DeveloperRole</span> <span class="s">username: developer</span> <span class="s">groups:</span> <span class="s">- system:masters # Too permissive!</span> <span class="na">mapUsers</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- userarn: arn:aws:iam::123456789012:user/alice</span> <span class="s">username: alice</span> <span class="s">groups:</span> <span class="s">- developers</span> </code></pre> </div> <p><strong>Problems:</strong></p> <ul> <li>😱 Manual YAML editing (error-prone)</li> <li>😱 Requires cluster access to modify</li> <li>😱 No fine-grained permission control</li> <li>😱 All-or-nothing access (system:masters or nothing)</li> <li>😱 Poor audit trail</li> </ul> <h3> ✅ NEW WAY: EKS Access Entries </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Create access entry</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_entry"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="p">}</span> <span class="c1"># Associate managed access policy</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_policy_association"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># AWS-managed policy for read-only access</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"</span> <span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"namespace"</span> <span class="c1"># Limit to specific namespaces!</span> <span class="nx">namespaces</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>✅ Infrastructure as Code friendly</li> <li>✅ AWS-managed policies</li> <li>✅ API-driven (no ConfigMap editing)</li> <li>✅ Fine-grained permissions</li> <li>✅ Namespace-scoped access</li> <li>✅ Better audit via CloudTrail</li> <li>✅ No cluster access needed</li> </ul> <h3> AWS Managed Access Policies </h3> <p>AWS provides three managed policies:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Policy</th> <th>Kubernetes Equivalent</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td><code>AmazonEKSClusterAdminPolicy</code></td> <td><code>cluster-admin</code></td> <td>Full cluster access</td> </tr> <tr> <td><code>AmazonEKSAdminPolicy</code></td> <td><code>admin</code></td> <td>Admin without cluster-scoped resources</td> </tr> <tr> <td><code>AmazonEKSEditPolicy</code></td> <td><code>edit</code></td> <td>Create/update resources</td> </tr> <tr> <td><code>AmazonEKSViewPolicy</code></td> <td><code>view</code></td> <td>Read-only access</td> </tr> </tbody> </table></div> <h2> Scenario 1: Basic EKS Cluster Setup </h2> <p>Let's start by creating an EKS cluster using the <strong>new Access Entry API</strong>.</p> <h3> Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ AWS Account │ │ │ │ ┌────────────────┐ ┌────────────────────┐ │ │ │ Admin Role │────────▶│ EKS Cluster │ │ │ │ (Your IAM) │ Access │ + OIDC Provider │ │ │ └────────────────┘ Entry │ + Node Group │ │ │ └────────────────────┘ │ └─────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Step 1: Create the EKS Cluster </h3> <p>Create <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># VPC for EKS</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1a"</span><span class="p">,</span> <span class="s2">"us-east-1b"</span><span class="p">,</span> <span class="s2">"us-east-1c"</span><span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">,</span> <span class="s2">"10.0.3.0/24"</span><span class="p">]</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.101.0/24"</span><span class="p">,</span> <span class="s2">"10.0.102.0/24"</span><span class="p">,</span> <span class="s2">"10.0.103.0/24"</span><span class="p">]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Required tags for EKS</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM Role for EKS Cluster</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks_cluster_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-cluster-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach required policies</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_cluster_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># EKS Cluster with Access Entry API</span> <span class="nx">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-cluster"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="p">)</span> <span class="p">}</span> <span class="c1"># 🎯 KEY: Enable the new Access Entry API</span> <span class="nx">access_config</span> <span class="p">{</span> <span class="nx">authentication_mode</span> <span class="p">=</span> <span class="s2">"API_AND_CONFIG_MAP"</span> <span class="c1"># Supports both</span> <span class="nx">bootstrap_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">eks_cluster_policy</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># Node Group</span> <span class="nx">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="s2">"demo-node-group"</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Create Admin Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># IAM Role for Admin Access</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"cluster_admin"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-admin-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># 🎯 NEW: Create Access Entry</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_entry"</span> <span class="s2">"admin"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cluster_admin</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="p">}</span> <span class="c1"># 🎯 NEW: Associate Admin Policy</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_policy_association"</span> <span class="s2">"admin"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cluster_admin</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Grants full cluster admin access</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"</span> <span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cluster"</span> <span class="c1"># Full cluster access</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Deploy and Test </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Initialize and apply</span> terraform init terraform apply <span class="c"># Configure kubectl</span> aws eks update-kubeconfig <span class="nt">--region</span> us-east-1 <span class="nt">--name</span> demo-eks-cluster <span class="c"># Test access</span> kubectl get nodes kubectl get pods <span class="nt">-A</span> </code></pre> </div> <p><strong>Why This Works:</strong></p> <ol> <li>The cluster creator gets automatic admin access</li> <li>Additional admins are granted via Access Entry</li> <li>No manual ConfigMap editing required!</li> </ol> <p><strong>Full code:</strong> <a href="https://github.com/mdnurahmed/aws-eks-iam-hands-on/tree/main/scenario-1-basic-eks" rel="noopener noreferrer">scenario-1-basic-eks/</a></p> <h2> Scenario 2: Developer Read-Only Access </h2> <p>Now let's grant a developer <strong>read-only</strong> access to specific namespaces.</p> <h3> Use Case </h3> <ul> <li>Junior developers need to view pods and logs</li> <li>No permission to create/delete resources</li> <li>Limited to <code>dev</code> and <code>staging</code> namespaces only</li> </ul> <h3> Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────┐ │ Developer │ │ (IAM User/Role) │ └────────────┬─────────────────────────────────────┘ │ sts:AssumeRole ▼ ┌──────────────────────────────────────────────────┐ │ Developer IAM Role │ │ + EKS Describe permissions │ └────────────┬─────────────────────────────────────┘ │ Access Entry ▼ ┌──────────────────────────────────────────────────┐ │ EKS Cluster │ │ Policy: AmazonEKSViewPolicy │ │ Scope: namespaces [dev, staging] │ └──────────────────────────────────────────────────┘ </code></pre> </div> <h3> Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># IAM Role for Developers</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-developer-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">developer_principal_arns</span> <span class="p">}</span> <span class="c1"># 🔒 Security: Require External ID</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"sts:ExternalId"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">external_id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># IAM Policy for EKS API Access</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"eks_describe"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-developer-describe-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"eks:DescribeCluster"</span><span class="p">,</span> <span class="s2">"eks:ListClusters"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"developer_eks_describe"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">eks_describe</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># 🎯 Access Entry for Developer</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_entry"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="p">}</span> <span class="c1"># 🎯 Grant Read-Only Access (Namespace-Scoped)</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_policy_association"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># View-only policy</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"</span> <span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"namespace"</span> <span class="nx">namespaces</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">]</span> <span class="c1"># Limited scope!</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Testing Read-Only Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Assume developer role</span> aws sts assume-role <span class="se">\</span> <span class="nt">--role-arn</span> arn:aws:iam::123456789012:role/demo-eks-developer-role <span class="se">\</span> <span class="nt">--role-session-name</span> dev-session <span class="se">\</span> <span class="nt">--external-id</span> my-external-id <span class="c"># Export credentials</span> <span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span><span class="s2">"..."</span> <span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span><span class="s2">"..."</span> <span class="nb">export </span><span class="nv">AWS_SESSION_TOKEN</span><span class="o">=</span><span class="s2">"..."</span> <span class="c"># Update kubeconfig</span> aws eks update-kubeconfig <span class="nt">--region</span> us-east-1 <span class="nt">--name</span> demo-eks-cluster <span class="c"># These should WORK ✅</span> kubectl get pods <span class="nt">-n</span> dev kubectl get pods <span class="nt">-n</span> staging kubectl describe node &lt;node-name&gt; kubectl logs &lt;pod-name&gt; <span class="nt">-n</span> dev <span class="c"># These should FAIL ❌</span> kubectl create deployment <span class="nb">test</span> <span class="nt">--image</span><span class="o">=</span>nginx <span class="nt">-n</span> dev <span class="c"># Error: deployments.apps is forbidden</span> kubectl delete pod &lt;pod-name&gt; <span class="nt">-n</span> dev <span class="c"># Error: pods is forbidden</span> kubectl get pods <span class="nt">-n</span> production <span class="c"># Error: pods is forbidden (wrong namespace)</span> </code></pre> </div> <h3> What Makes This Secure? </h3> <ol> <li> <strong>External ID</strong>: Prevents confused deputy problem</li> <li> <strong>Namespace-scoped</strong>: Can't access production</li> <li> <strong>Read-only</strong>: Can't modify anything</li> <li> <strong>No long-lived credentials</strong>: Must assume role each time</li> </ol> <p><strong>Full code:</strong> <a href="https://github.com/mdnurahmed/aws-eks-iam-hands-on/tree/main/scenario-2-developer-access" rel="noopener noreferrer">scenario-2-developer-access/</a></p> <h2> Scenario 3: CI/CD Pipeline Access </h2> <p>Modern CI/CD systems need to deploy to EKS. Let's configure <strong>GitHub Actions</strong>, <strong>GitLab CI</strong>, and <strong>Jenkins</strong>.</p> <h3> Why OIDC for CI/CD? </h3> <p>❌ <strong>Old way</strong>: Store long-lived AWS access keys as secrets<br> ✅ <strong>New way</strong>: Use OIDC tokens (no credentials stored!)</p> <h3> GitHub Actions with OIDC </h3> <h4> Architecture </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌────────────────────────────────────────────────┐ │ GitHub Actions Workflow │ │ (Repository: org/repo) │ └──────────────┬─────────────────────────────────┘ │ OIDC Token ▼ ┌────────────────────────────────────────────────┐ │ GitHub OIDC Provider (AWS IAM) │ │ token.actions.githubusercontent.com │ └──────────────┬─────────────────────────────────┘ │ Trust Relationship ▼ ┌────────────────────────────────────────────────┐ │ GitHub Actions IAM Role │ │ + EKS Admin Access Entry │ └──────────────┬─────────────────────────────────┘ │ ▼ ┌────────────────────────────────────────────────┐ │ EKS Cluster - Deploy Application │ └────────────────────────────────────────────────┘ </code></pre> </div> <h4> Step 1: Create OIDC Provider </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># GitHub OIDC Provider</span> <span class="nx">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="c1"># GitHub's SSL certificate thumbprints</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"6938fd4d98bab03faadb97b34396831e3780aea1"</span><span class="p">,</span> <span class="s2">"1c58a3a8518e8759bf075b76b750d4f2df264fcd"</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h4> Step 2: Create IAM Role </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># IAM Role for GitHub Actions</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-github-actions-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"token.actions.githubusercontent.com:aud"</span> <span class="p">=</span> <span class="s2">"sts.amazonaws.com"</span> <span class="p">}</span> <span class="c1"># 🔒 Restrict to specific repositories</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"repo:your-org/your-repo:*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Grant EKS access</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_entry"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eks_access_policy_association"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"</span> <span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cluster"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Step 3: GitHub Workflow </h4> <p><code>.github/workflows/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to EKS</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="c1"># 🎯 KEY: Request OIDC token</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="c1"># 🎯 Configure AWS credentials via OIDC (no keys!)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ROLE_ARN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="c1"># Now you have AWS access!</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update kubeconfig</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws eks update-kubeconfig \</span> <span class="s">--region us-east-1 \</span> <span class="s">--name demo-eks-cluster</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">kubectl apply -f k8s/</span> <span class="s">kubectl rollout status deployment/my-app</span> </code></pre> </div> <h3> GitLab CI with OIDC </h3> <p><code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli:latest</span> <span class="na">id_tokens</span><span class="pi">:</span> <span class="na">GITLAB_OIDC_TOKEN</span><span class="pi">:</span> <span class="na">aud</span><span class="pi">:</span> <span class="s">https://gitlab.com</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">&gt;</span> <span class="s">export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"</span> <span class="s">$(aws sts assume-role-with-web-identity</span> <span class="s">--role-arn ${ROLE_ARN}</span> <span class="s">--role-session-name "gitlab-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"</span> <span class="s">--web-identity-token ${GITLAB_OIDC_TOKEN}</span> <span class="s">--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'</span> <span class="s">--output text))</span> <span class="pi">-</span> <span class="s">aws eks update-kubeconfig --region us-east-1 --name demo-eks-cluster</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kubectl apply -f k8s/</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> </code></pre> </div> <h3> Jenkins (Traditional Approach) </h3> <p>For Jenkins, use role assumption with External ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="n">any</span> <span class="n">environment</span> <span class="o">{</span> <span class="n">ROLE_ARN</span> <span class="o">=</span> <span class="s1">'arn:aws:iam::123456789012:role/jenkins-eks-role'</span> <span class="n">EXTERNAL_ID</span> <span class="o">=</span> <span class="s1">'jenkins-external-id'</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Deploy to EKS'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="c1">// Assume role</span> <span class="kt">def</span> <span class="n">creds</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span> <span class="nl">script:</span> <span class="s2">""" aws sts assume-role \ --role-arn ${ROLE_ARN} \ --role-session-name jenkins-${BUILD_NUMBER} \ --external-id ${EXTERNAL_ID} \ --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \ --output text """</span><span class="o">,</span> <span class="nl">returnStdout:</span> <span class="kc">true</span> <span class="o">).</span><span class="na">trim</span><span class="o">().</span><span class="na">split</span><span class="o">()</span> <span class="n">env</span><span class="o">.</span><span class="na">AWS_ACCESS_KEY_ID</span> <span class="o">=</span> <span class="n">creds</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span> <span class="n">env</span><span class="o">.</span><span class="na">AWS_SECRET_ACCESS_KEY</span> <span class="o">=</span> <span class="n">creds</span><span class="o">[</span><span class="mi">1</span><span class="o">]</span> <span class="n">env</span><span class="o">.</span><span class="na">AWS_SESSION_TOKEN</span> <span class="o">=</span> <span class="n">creds</span><span class="o">[</span><span class="mi">2</span><span class="o">]</span> <span class="o">}</span> <span class="n">sh</span> <span class="s1">''' aws eks update-kubeconfig --name demo-eks-cluster kubectl apply -f k8s/ '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Full code:</strong> <a href="https://github.com/mdnurahmed/aws-eks-iam-hands-on/tree/main/scenario-3-cicd-access" rel="noopener noreferrer">scenario-3-cicd-access/</a></p> <h2> Scenario 4: IRSA for Pods </h2> <p>The crown jewel of EKS IAM: <strong>IAM Roles for Service Accounts (IRSA)</strong>.</p> <h3> The Problem </h3> <p>How do pods access AWS services (S3, DynamoDB, etc.) securely?</p> <p>❌ <strong>Bad</strong>: Put credentials in environment variables<br> ❌ <strong>Bad</strong>: Use EC2 instance profile (all pods share permissions)<br> ✅ <strong>Good</strong>: IRSA (each pod gets its own IAM role)</p> <h3> How IRSA Works </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌───────────────────────────────────────────────────┐ │ Pod │ │ ServiceAccount: s3-access-sa │ │ ↓ │ │ Environment Variables (injected by EKS): │ │ - AWS_ROLE_ARN=arn:aws:iam::123456789012:role/s3│ │ - AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets...│ └────────────────┬──────────────────────────────────┘ │ ▼ ┌──────────────────────────────────────────────────┐ │ EKS OIDC Provider │ │ oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E │ └────────────────┬──────────────────────────────────┘ │ Validates token ▼ ┌──────────────────────────────────────────────────┐ │ IAM Role (s3-access-role) │ │ Trust Policy: Only this ServiceAccount │ └────────────────┬──────────────────────────────────┘ │ ▼ ┌──────────────────────────────────────────────────┐ │ S3 Bucket │ │ ✅ Pod can access! │ └──────────────────────────────────────────────────┘ </code></pre> </div> <h3> Step 1: Create OIDC Provider </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Get OIDC provider details from EKS</span> <span class="nx">data</span> <span class="s2">"tls_certificate"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> <span class="c1"># Create OIDC provider</span> <span class="nx">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"cluster"</span> <span class="p">{</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="nx">data</span><span class="p">.</span><span class="nx">tls_certificate</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">certificates</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">sha1_fingerprint</span><span class="p">]</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Create S3 Bucket and IAM Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># S3 bucket for app</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"app_data"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"demo-eks-app-data"</span> <span class="p">}</span> <span class="c1"># IAM Role for pods</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"s3_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-s3-access-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># 🔒 Only allow specific ServiceAccount</span> <span class="s2">"${local.oidc_provider_url}:sub"</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:app:s3-access-sa"</span> <span class="s2">"${local.oidc_provider_url}:aud"</span> <span class="p">=</span> <span class="s2">"sts.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># S3 access policy</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-eks-s3-access-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">app_data</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.app_data.arn}/*"</span> <span class="p">]</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"s3_access"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">s3_access</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_access</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Create Kubernetes ServiceAccount </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_service_account"</span> <span class="s2">"s3_access"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"s3-access-sa"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"app"</span> <span class="c1"># 🎯 This annotation links SA to IAM role</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">s3_access</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Deploy Pod Using ServiceAccount </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-test-pod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">s3-access-sa</span> <span class="c1"># 🎯 Use the ServiceAccount</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sleep"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">3600"</span><span class="pi">]</span> </code></pre> </div> <h3> Step 5: Test IRSA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy the pod</span> kubectl apply <span class="nt">-f</span> pod.yaml <span class="c"># Check environment variables (injected by EKS)</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> s3-test-pod <span class="nt">-n</span> app <span class="nt">--</span> <span class="nb">env</span> | <span class="nb">grep </span>AWS <span class="c"># Output:</span> <span class="c"># AWS_ROLE_ARN=arn:aws:iam::123456789012:role/demo-eks-s3-access-role</span> <span class="c"># AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token</span> <span class="c"># Test S3 access</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> s3-test-pod <span class="nt">-n</span> app <span class="nt">--</span> <span class="se">\</span> aws s3 <span class="nb">ls </span>s3://demo-eks-app-data/ <span class="c"># Upload a file</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> s3-test-pod <span class="nt">-n</span> app <span class="nt">--</span> <span class="se">\</span> aws s3 <span class="nb">cp</span> /etc/hostname s3://demo-eks-app-data/test.txt <span class="c"># ✅ It works!</span> <span class="c"># Try to access a different bucket (should fail)</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> s3-test-pod <span class="nt">-n</span> app <span class="nt">--</span> <span class="se">\</span> aws s3 <span class="nb">ls </span>s3://some-other-bucket/ <span class="c"># ❌ Error: Access Denied (as expected!)</span> </code></pre> </div> <h3> Real Application Example </h3> <p>Here's a Flask app that uses IRSA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">jsonify</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># boto3 automatically uses IRSA credentials! </span><span class="n">s3_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">s3</span><span class="sh">'</span><span class="p">)</span> <span class="n">BUCKET</span> <span class="o">=</span> <span class="sh">'</span><span class="s">demo-eks-app-data</span><span class="sh">'</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/files</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">list_files</span><span class="p">():</span> <span class="sh">"""</span><span class="s">List files in S3 bucket</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">list_objects_v2</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">BUCKET</span><span class="p">)</span> <span class="n">files</span> <span class="o">=</span> <span class="p">[</span><span class="n">obj</span><span class="p">[</span><span class="sh">'</span><span class="s">Key</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">obj</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Contents</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])]</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">files</span><span class="sh">'</span><span class="p">:</span> <span class="n">files</span><span class="p">})</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/upload/&lt;filename&gt;</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="n">filename</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Upload a file to S3</span><span class="sh">"""</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">put_object</span><span class="p">(</span> <span class="n">Bucket</span><span class="o">=</span><span class="n">BUCKET</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">filename</span><span class="p">,</span> <span class="n">Body</span><span class="o">=</span><span class="sa">b</span><span class="sh">'</span><span class="s">Hello from IRSA!</span><span class="sh">'</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Uploaded </span><span class="si">{</span><span class="n">filename</span><span class="si">}</span><span class="sh">'</span><span class="p">})</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">'</span><span class="s">0.0.0.0</span><span class="sh">'</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8080</span><span class="p">)</span> </code></pre> </div> <p><strong>Key points:</strong></p> <ul> <li>No AWS credentials in code!</li> <li> <code>boto3</code> automatically uses IRSA</li> <li>Each pod can have different permissions</li> </ul> <p><strong>Full code:</strong> <a href="https://github.com/mdnurahmed/aws-eks-iam-hands-on/tree/main/scenario-4-irsa" rel="noopener noreferrer">scenario-4-irsa/</a></p> <h2> Best Practices </h2> <h3> 1. Use the New Access Entry API </h3> <p>✅ <strong>Do:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_eks_access_entry"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>❌ <strong>Don't:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Manual aws-auth ConfigMap editing</span> </code></pre> </div> <h3> 2. Principle of Least Privilege </h3> <p>✅ <strong>Do:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Specific resources only</span> <span class="nx">Resource</span> <span class="err">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.app.arn}/*"</span> <span class="p">]</span> </code></pre> </div> <p>❌ <strong>Don't:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Wildcard access</span> <span class="nx">Resource</span> <span class="err">=</span> <span class="s2">"*"</span> </code></pre> </div> <h3> 3. Use Namespace-Scoped Access </h3> <p>✅ <strong>Do:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"namespace"</span> <span class="nx">namespaces</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>❌ <strong>Don't:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Give everyone cluster-wide access</span> <span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cluster"</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Enable CloudTrail Logging </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudtrail"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eks-audit-trail"</span> <span class="nx">s3_bucket_name</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cloudtrail</span><span class="p">.</span><span class="nx">id</span> <span class="nx">event_selector</span> <span class="p">{</span> <span class="nx">read_write_type</span> <span class="p">=</span> <span class="s2">"All"</span> <span class="nx">include_management_events</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 5. Use OIDC for CI/CD </h3> <p>✅ <strong>Do:</strong> GitHub Actions/GitLab with OIDC<br> ❌ <strong>Don't:</strong> Store long-lived access keys</p> <h3> 6. Implement Session Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="c1"># Limit session duration</span> <span class="nx">max_session_duration</span> <span class="p">=</span> <span class="mi">3600</span> <span class="c1"># 1 hour</span> <span class="p">}</span> </code></pre> </div> <h3> 7. Require MFA for Production </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Condition</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">Bool</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:MultiFactorAuthPresent"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 8. Use External IDs </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Condition</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"sts:ExternalId"</span> <span class="p">=</span> <span class="s2">"unique-external-id"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Common Pitfalls </h2> <h3> 1. Forgetting to Bootstrap Cluster Creator </h3> <p>❌ <strong>Problem:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Cluster creator has no access!</span> <span class="nx">access_config</span> <span class="p">{</span> <span class="nx">bootstrap_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>✅ <strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">access_config</span> <span class="p">{</span> <span class="nx">bootstrap_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Wrong OIDC Provider Thumbprint </h3> <p>❌ <strong>Problem:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Error: InvalidIdentityToken </code></pre> </div> <p>✅ <strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get correct thumbprint</span> openssl s_client <span class="nt">-servername</span> oidc.eks.us-east-1.amazonaws.com <span class="se">\</span> <span class="nt">-showcerts</span> <span class="nt">-connect</span> oidc.eks.us-east-1.amazonaws.com:443 2&gt;&amp;- <span class="se">\</span> | openssl x509 <span class="nt">-fingerprint</span> <span class="nt">-sha1</span> <span class="nt">-noout</span> <span class="nt">-in</span> /dev/stdin </code></pre> </div> <h3> 3. ServiceAccount Annotation Typo </h3> <p>❌ <strong>Problem:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/wrong-role</span> </code></pre> </div> <p>✅ <strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify with Terraform output</span> terraform output s3_role_arn </code></pre> </div> <h3> 4. Overly Permissive Policies </h3> <p>❌ <strong>Problem:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Action</span> <span class="err">=</span> <span class="s2">"*"</span> <span class="nx">Resource</span> <span class="err">=</span> <span class="s2">"*"</span> </code></pre> </div> <p>✅ <strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Action</span> <span class="err">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="err">=</span> <span class="s2">"${aws_s3_bucket.app.arn}/*"</span> </code></pre> </div> <h3> 5. Not Testing Denied Actions </h3> <p>✅ <strong>Always test that restricted actions fail:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Should succeed</span> kubectl get pods <span class="nt">-n</span> dev <span class="c"># Should fail</span> kubectl delete pod <span class="nb">test</span> <span class="nt">-n</span> dev </code></pre> </div> <h2> Troubleshooting Guide </h2> <h3> Issue: "You must be logged in to the server (Unauthorized)" </h3> <p><strong>Check:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify AWS credentials</span> aws sts get-caller-identity <span class="c"># Update kubeconfig</span> aws eks update-kubeconfig <span class="nt">--region</span> us-east-1 <span class="nt">--name</span> demo-eks-cluster <span class="c"># Check access entry exists</span> aws eks describe-access-entry <span class="se">\</span> <span class="nt">--cluster-name</span> demo-eks-cluster <span class="se">\</span> <span class="nt">--principal-arn</span> &lt;your-role-arn&gt; </code></pre> </div> <h3> Issue: IRSA Not Working </h3> <p><strong>Check:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify OIDC provider exists</span> aws iam list-open-id-connect-providers <span class="c"># Check ServiceAccount annotation</span> kubectl get sa s3-access-sa <span class="nt">-n</span> app <span class="nt">-o</span> yaml <span class="c"># Verify pod has environment variables</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod&gt; <span class="nt">-n</span> app <span class="nt">--</span> <span class="nb">env</span> | <span class="nb">grep </span>AWS <span class="c"># Check token file exists</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod&gt; <span class="nt">-n</span> app <span class="nt">--</span> <span class="nb">cat</span> /var/run/secrets/eks.amazonaws.com/serviceaccount/token </code></pre> </div> <h3> Issue: Access Denied </h3> <p><strong>Check:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get caller identity from pod</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod&gt; <span class="nt">--</span> aws sts get-caller-identity <span class="c"># Check IAM role trust policy</span> aws iam get-role <span class="nt">--role-name</span> &lt;role-name&gt; <span class="c"># Check attached policies</span> aws iam list-attached-role-policies <span class="nt">--role-name</span> &lt;role-name&gt; </code></pre> </div> <h2> Conclusion </h2> <p>We've covered a lot! Here's what you learned:</p> <p>✅ <strong>Understanding</strong>: How IAM works with EKS (authentication vs authorization)<br> ✅ <strong>New API</strong>: EKS Access Entries vs aws-auth ConfigMap<br> ✅ <strong>Scenarios</strong>: 4 practical, production-ready examples<br> ✅ <strong>IRSA</strong>: The secure way for pods to access AWS services<br> ✅ <strong>CI/CD</strong>: OIDC-based authentication for GitHub, GitLab, Jenkins<br> ✅ <strong>Best Practices</strong>: Security, least privilege, and troubleshooting</p> <h3> Next Steps </h3> <ol> <li> <strong>Clone the repo</strong>: <a href="https://github.com/mdnurahmed/aws-eks-iam-hands-on" rel="noopener noreferrer">eks-iam-hands-on</a> </li> <li> <strong>Start with Scenario 1</strong>: Get a cluster running</li> <li> <strong>Experiment</strong>: Try different access policies</li> <li> <strong>Deploy the sample app</strong>: See IRSA in action</li> <li> <strong>Adapt for production</strong>: Use these patterns in real projects</li> </ol> <h3> Additional Resources </h3> <ul> <li><a href="https://aws.github.io/aws-eks-best-practices/" rel="noopener noreferrer">EKS Best Practices Guide</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html" rel="noopener noreferrer">IAM Roles for Service Accounts</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html" rel="noopener noreferrer">EKS Access Entries</a></li> </ul> <h3> What challenges have you faced with EKS IAM? </h3> <p>Share your experiences in the comments! If this guide helped you, give it a ❤️ and share with your team.</p> <p><strong>Happy Kuberneting!</strong> 🚀</p> <p><em>Found this helpful? Follow me for more AWS and Kubernetes content!</em></p> <p><strong>Connect:</strong></p> <ul> <li>GitHub: <a href="https://github.com/mdnurahmed" rel="noopener noreferrer">@mdnurahmed</a> </li> <li>LinkedIn: <a href="https://www.linkedin.com/in/nur-ahmed/" rel="noopener noreferrer">nur-ahmed</a> </li> </ul> aws kubernetes iam eks Mastering AWS IAM: A Complete Guide with Hands-On Scenarios MD Nur Ahmed Fri, 12 Dec 2025 10:56:57 +0000 https://dev.to/mdnurahmed/mastering-aws-iam-a-complete-guide-with-hands-on-scenarios-2c47 https://dev.to/mdnurahmed/mastering-aws-iam-a-complete-guide-with-hands-on-scenarios-2c47 <h1> Mastering AWS IAM: A Complete Guide with Hands-On Scenarios </h1> <p>AWS Identity and Access Management (IAM) is the backbone of security in AWS. Whether you're deploying your first Lambda function or architecting a multi-account enterprise solution, understanding IAM is crucial. In this comprehensive guide, I'll walk you through different types of IAM identities, policies, and real-world scenarios with practical Terraform examples.</p> <h2> What is AWS IAM? </h2> <p>AWS IAM is a web service that helps you securely control access to AWS resources. It enables you to manage authentication (who can sign in) and authorization (what actions they can perform) across your AWS infrastructure.</p> <p>Think of IAM as the security guard of your AWS account. It decides:</p> <ul> <li> <strong>Who</strong> can access your resources (authentication)</li> <li> <strong>What</strong> they can do with those resources (authorization)</li> <li> <strong>When</strong> and <strong>where</strong> they can access them (conditions)</li> </ul> <h2> Core IAM Components </h2> <h3> 1. <strong>IAM Users</strong> </h3> <p>Individual identities with long-term credentials. Best suited for:</p> <ul> <li>Human users who need console or CLI access</li> <li>Applications that require permanent credentials (though roles are preferred)</li> <li>Service accounts for third-party integrations</li> </ul> <h3> 2. <strong>IAM Groups</strong> </h3> <p>Collections of users with similar permissions. Groups help you:</p> <ul> <li>Manage permissions at scale</li> <li>Apply consistent policies across teams</li> <li>Simplify user onboarding and offboarding</li> </ul> <h3> 3. <strong>IAM Roles</strong> </h3> <p>Temporary identities that can be assumed by users, applications, or AWS services. Roles are perfect for:</p> <ul> <li>AWS services (Lambda, EC2, ECS)</li> <li>Cross-account access</li> <li>Federated users</li> <li>Applications running on AWS</li> </ul> <h3> 4. <strong>IAM Policies</strong> </h3> <p>JSON documents that define permissions. Types include:</p> <ul> <li> <strong>Identity-based policies</strong>: Attached to users, groups, or roles</li> <li> <strong>Resource-based policies</strong>: Attached to resources like S3 buckets</li> <li> <strong>Permission boundaries</strong>: Set maximum permissions</li> <li> <strong>Service Control Policies (SCPs)</strong>: Applied at the AWS Organizations level</li> </ul> <h2> IAM Best Practices </h2> <p>Before diving into scenarios, here are critical best practices:</p> <ol> <li> <strong>Follow the Principle of Least Privilege</strong>: Grant only the permissions required to perform a task</li> <li> <strong>Use Roles Instead of Users for Applications</strong>: Roles provide temporary credentials that rotate automatically</li> <li> <strong>Enable MFA for Privileged Users</strong>: Add an extra layer of security</li> <li> <strong>Regularly Rotate Credentials</strong>: Change passwords and access keys periodically</li> <li> <strong>Use Policy Conditions</strong>: Add constraints like IP address ranges or time windows</li> <li> <strong>Monitor with CloudTrail</strong>: Keep audit logs of all IAM actions</li> <li> <strong>Avoid Using Root Account</strong>: Create IAM users for daily operations</li> </ol> <h2> Real-World IAM Scenarios </h2> <p>Let me walk you through practical scenarios that you'll encounter in production environments. All the code examples are available in my <a href="https://github.com/mdnurahmed/aws-iam-hands-ons" rel="noopener noreferrer">AWS IAM Hands-On Repository</a>.</p> <h3> Scenario 1: Lambda Function with S3 Access </h3> <p><strong>Use Case</strong>: You have a Lambda function that needs to read from an S3 bucket and write logs to CloudWatch.</p> <p><strong>Solution</strong>: Create an IAM role with the necessary permissions and attach it to the Lambda function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># IAM Role for Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"lambda_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda-s3-access-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Policy for S3 access</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"lambda_s3_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda-s3-access-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::my-bucket/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"s3:ListBucket"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::my-bucket"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach policy to role</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_s3_attach"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">lambda_s3_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Attach CloudWatch Logs policy</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_logs"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why This Works:</strong></p> <ul> <li>The Lambda service can assume this role</li> <li>The role has specific S3 permissions (read and write to a specific bucket)</li> <li>CloudWatch Logs permissions allow Lambda to write logs</li> <li>No hard-coded credentials needed</li> </ul> <h3> Scenario 2: Cross-Account Access </h3> <p><strong>Use Case</strong>: You have a CI/CD pipeline in Account A that needs to deploy resources to Account B.</p> <p><strong>Solution</strong>: Create a role in Account B that Account A can assume.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># In Account B - Create role that Account A can assume</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"cross_account_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cross-account-deploy-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::ACCOUNT_A_ID:root"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"sts:ExternalId"</span> <span class="p">=</span> <span class="s2">"unique-external-id-123"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Deployment permissions</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"deploy_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deployment-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:*"</span><span class="p">,</span> <span class="s2">"s3:*"</span><span class="p">,</span> <span class="s2">"lambda:*"</span><span class="p">,</span> <span class="s2">"cloudformation:*"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"deploy_attach"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cross_account_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">deploy_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p><strong>Security Highlights:</strong></p> <ul> <li>External ID prevents the "confused deputy" problem</li> <li>Account A must explicitly assume the role</li> <li>Permissions are isolated to Account B</li> <li>Can be easily audited via CloudTrail</li> </ul> <h3> Scenario 3: EC2 Instance Profile </h3> <p><strong>Use Case</strong>: Your EC2 instances need to access AWS services without storing credentials in the application.</p> <p><strong>Solution</strong>: Use an instance profile with an IAM role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># IAM Role for EC2</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ec2_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2-app-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Application permissions</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"app_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2-app-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"dynamodb:GetItem"</span><span class="p">,</span> <span class="s2">"dynamodb:PutItem"</span><span class="p">,</span> <span class="s2">"dynamodb:Query"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:dynamodb:us-east-1:*:table/my-table"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sqs:SendMessage"</span><span class="p">,</span> <span class="s2">"sqs:ReceiveMessage"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:sqs:us-east-1:*:my-queue"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"app_attach"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ec2_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">app_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Instance Profile</span> <span class="nx">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"ec2_profile"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2-app-profile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ec2_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># Attach to EC2 instance</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app_server"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0c55b159cbfafe1f0"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">ec2_profile</span><span class="p">.</span><span class="nx">name</span> <span class="c1"># Your other configurations...</span> <span class="p">}</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>No credential management in application code</li> <li>Automatic credential rotation by AWS</li> <li>Easy to audit and rotate permissions</li> <li>Credentials never leave the AWS environment</li> </ul> <h3> Scenario 4: Least Privilege with Condition Keys </h3> <p><strong>Use Case</strong>: Grant developers access to only their team's resources using tags.</p> <p><strong>Solution</strong>: Use condition keys in IAM policies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"team_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"team-based-access-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:StartInstances"</span><span class="p">,</span> <span class="s2">"ec2:StopInstances"</span><span class="p">,</span> <span class="s2">"ec2:TerminateInstances"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ec2:ResourceTag/Team"</span> <span class="p">=</span> <span class="s2">"$${aws:username}"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateTags"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ec2:CreateAction"</span> <span class="p">=</span> <span class="s2">"RunInstances"</span> <span class="s2">"aws:RequestTag/Team"</span> <span class="p">=</span> <span class="s2">"$${aws:username}"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:Describe*"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_group"</span> <span class="s2">"developers"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"developers"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_group_policy_attachment"</span> <span class="s2">"dev_attach"</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">aws_iam_group</span><span class="p">.</span><span class="nx">developers</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">team_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p><strong>How It Works:</strong></p> <ul> <li>Developers can only manage instances tagged with their username</li> <li>Forces tagging at creation time</li> <li>Read-only access to all resources for visibility</li> <li>Prevents accidental modification of other teams' resources</li> </ul> <h2> Advanced IAM Patterns </h2> <h3> Permission Boundaries </h3> <p>Permission boundaries set the maximum permissions an entity can have, even if more permissive policies are attached.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"permission_boundary"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"developer-boundary"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:*"</span><span class="p">,</span> <span class="s2">"dynamodb:*"</span><span class="p">,</span> <span class="s2">"lambda:*"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"iam:*"</span><span class="p">,</span> <span class="s2">"organizations:*"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"junior-developer"</span> <span class="nx">permissions_boundary</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">permission_boundary</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Session Policies </h3> <p>Provide additional restrictions when assuming a role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Assume role with session policy</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"assumed_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"limited-session-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::123456789012:user/admin"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Then when assuming with AWS CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts assume-role <span class="se">\</span> <span class="nt">--role-arn</span> arn:aws:iam::123456789012:role/limited-session-role <span class="se">\</span> <span class="nt">--role-session-name</span> my-session <span class="se">\</span> <span class="nt">--policy</span> <span class="s1">'{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::specific-bucket/*" } ] }'</span> </code></pre> </div> <h2> IAM Policy Evaluation Logic </h2> <p>Understanding how AWS evaluates policies is crucial:</p> <ol> <li> <strong>By default, all requests are denied</strong> (implicit deny)</li> <li> <strong>Explicit allow</strong> in an identity-based or resource-based policy overrides the default</li> <li> <strong>Permission boundary</strong> restricts the maximum permissions</li> <li> <strong>Explicit deny</strong> overrides any allows </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Explicit Deny → Deny ↓ Permission Boundary → Deny if not allowed ↓ Identity-based Policy → Allow ↓ Resource-based Policy → Allow ↓ Default → Deny </code></pre> </div> <h2> Testing IAM Policies </h2> <p>Always test your policies before deploying to production:</p> <h3> IAM Policy Simulator </h3> <p>Use the AWS IAM Policy Simulator to test policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam simulate-principal-policy <span class="se">\</span> <span class="nt">--policy-source-arn</span> arn:aws:iam::123456789012:role/my-role <span class="se">\</span> <span class="nt">--action-names</span> s3:GetObject <span class="se">\</span> <span class="nt">--resource-arns</span> arn:aws:s3:::my-bucket/file.txt </code></pre> </div> <h3> Access Analyzer </h3> <p>Enable IAM Access Analyzer to:</p> <ul> <li>Identify resources shared with external entities</li> <li>Validate policies against AWS best practices</li> <li>Get recommendations for unused access</li> </ul> <h2> Common IAM Pitfalls and Solutions </h2> <h3> 1. Overly Permissive Policies </h3> <p><strong>Problem</strong>: Using <code>"Resource": "*"</code> and <code>"Action": "*"</code></p> <p><strong>Solution</strong>: Be specific with resources and actions<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-specific-bucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2. Not Using Roles for Applications </h3> <p><strong>Problem</strong>: Storing access keys in code</p> <p><strong>Solution</strong>: Always use IAM roles with instance profiles or task roles</p> <h3> 3. Forgetting to Test </h3> <p><strong>Problem</strong>: Deploying untested policies</p> <p><strong>Solution</strong>: Use IAM Policy Simulator and Access Analyzer</p> <h3> 4. Ignoring CloudTrail Logs </h3> <p><strong>Problem</strong>: No visibility into who did what</p> <p><strong>Solution</strong>: Enable CloudTrail and review logs regularly</p> <h2> Hands-On Practice </h2> <p>Want to try these scenarios yourself? Check out my <a href="https://github.com/mdnurahmed/aws-iam-hands-ons" rel="noopener noreferrer">AWS IAM Hands-On Repository</a> which contains:</p> <ul> <li> <strong>Scenario 1</strong>: Lambda with S3 and DynamoDB access</li> <li> <strong>Scenario 2</strong>: Cross-account role assumption</li> <li> <strong>Scenario 3</strong>: EC2 instance profiles with multiple service integrations</li> <li> <strong>Scenario 4</strong>: Tag-based access control with conditions</li> <li> <strong>Lambda Code</strong>: Sample functions demonstrating IAM in action</li> </ul> <p>Each scenario includes:</p> <ul> <li>Terraform infrastructure code</li> <li>Step-by-step deployment instructions</li> <li>Testing procedures</li> <li>Cleanup scripts </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/mdnurahmed/aws-iam-hands-ons.git <span class="c"># Navigate to a scenario</span> <span class="nb">cd </span>aws-iam-hands-ons/scenario-1 <span class="c"># Initialize Terraform</span> terraform init <span class="c"># Plan the deployment</span> terraform plan <span class="c"># Apply the configuration</span> terraform apply </code></pre> </div> <h2> IAM Security Checklist </h2> <p>Use this checklist to ensure your IAM setup is secure:</p> <ul> <li>[ ] Root account MFA enabled</li> <li>[ ] No access keys for root account</li> <li>[ ] IAM users have MFA enabled</li> <li>[ ] Access keys rotated regularly (90 days max)</li> <li>[ ] Unused users and roles removed</li> <li>[ ] CloudTrail enabled and logs analyzed</li> <li>[ ] IAM Access Analyzer enabled</li> <li>[ ] Password policy enforced (complexity, rotation)</li> <li>[ ] Least privilege principle applied</li> <li>[ ] Service roles used instead of user credentials</li> <li>[ ] Cross-account access uses external IDs</li> <li>[ ] Permission boundaries set for delegated admin</li> <li>[ ] Regular IAM credential reports reviewed</li> </ul> <h2> Monitoring and Compliance </h2> <h3> CloudTrail Integration </h3> <p>Monitor IAM activities:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudtrail"</span> <span class="s2">"iam_trail"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"iam-audit-trail"</span> <span class="nx">s3_bucket_name</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">trail_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">include_global_service_events</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">is_multi_region_trail</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">event_selector</span> <span class="p">{</span> <span class="nx">read_write_type</span> <span class="p">=</span> <span class="s2">"All"</span> <span class="nx">include_management_events</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> AWS Config Rules </h3> <p>Set up compliance checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_config_config_rule"</span> <span class="s2">"iam_password_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"iam-password-policy-check"</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">source_identifier</span> <span class="p">=</span> <span class="s2">"IAM_PASSWORD_POLICY"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_config_configuration_recorder</span><span class="p">.</span><span class="nx">main</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion </h2> <p>IAM is fundamental to AWS security, and mastering it takes practice. The key principles to remember:</p> <ol> <li> <strong>Always use least privilege</strong> - grant only what's needed</li> <li> <strong>Prefer roles over users</strong> - for applications and services</li> <li> <strong>Test before deploying</strong> - use simulators and analyzers</li> <li> <strong>Monitor continuously</strong> - enable CloudTrail and Config</li> <li> <strong>Automate with IaC</strong> - use Terraform or CloudFormation</li> </ol> <p>By following these patterns and practicing with the scenarios in the <a href="https://github.com/mdnurahmed/aws-iam-hands-ons" rel="noopener noreferrer">AWS IAM Hands-On Repository</a>, you'll build a strong foundation in AWS security.</p> <p>What IAM challenges have you faced? Share your experiences in the comments below!</p> <h2> Additional Resources </h2> <ul> <li><a href="https://docs.aws.amazon.com/iam/" rel="noopener noreferrer">AWS IAM Documentation</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">IAM Best Practices Guide</a></li> <li><a href="https://github.com/mdnurahmed/aws-iam-hands-ons" rel="noopener noreferrer">AWS IAM Hands-On Repository</a></li> <li><a href="https://aws.amazon.com/blogs/security/" rel="noopener noreferrer">AWS Security Blog</a></li> <li><a href="https://policysim.aws.amazon.com/" rel="noopener noreferrer">IAM Policy Simulator</a></li> </ul> <p><em>If you found this guide helpful, give it a ❤️ and follow me for more AWS and DevOps content!</em></p> aws iam cloud terraform Are you really treating redis as cache storage ? MD Nur Ahmed Sat, 08 Mar 2025 12:43:30 +0000 https://dev.to/mdnurahmed/are-you-really-treating-redis-as-cache-storage--43e3 https://dev.to/mdnurahmed/are-you-really-treating-redis-as-cache-storage--43e3 <h2> TL,DR: </h2> <p>If your application goes down because of Redis outages while using Redis as cache storage, you need to check your Redis client configurations in your code. You're not actually using Redis as a cache storage properly in this case.</p> <h1> Redis cache anti-pattern </h1> <p>Redis is mostly used as a cache storage to speed up server response time. However, I've often seen applications crash when Redis servers fail (due to Redis memory being full or connection limits being reached). This is an anti-pattern and shouldn't happen. Your application should still function during Redis outages (although with increased latency). This problem typically occurs because the Redis client library configuration treats Redis as a primary data source and keeps retrying with exponential backoff when Redis crashes, instead of gracefully falling back to the primary database.</p> <h1> Demo </h1> <p>I created a simple demo for this using nodejs and ioredis library <a href="https://gitlab.com/nurahmedsabbir/redis-cache-mistake-demo" rel="noopener noreferrer">here</a>. </p> <p>In the <a href="https://gitlab.com/nurahmedsabbir/redis-cache-mistake-demo" rel="noopener noreferrer">main branch</a> , we have a simple redis configuration like this :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const redis = new Redis({ host: process.env.REDIS_HOST || "redis", port: process.env.REDIS_PORT || 6379, password: process.env.REDIS_PASSWORD || "", }); </code></pre> </div> <p>Let's run it using docker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker compose up //Create a new item curl -X POST http://localhost:8080/items \ -H "Content-Type: application/json" \ -d '{"name":"test item","value":"test value"}' // Get the item curl http://localhost:8080/items/1 </code></pre> </div> <p>Now , lets bring down redis using "docker stop ". And we see application crashes because ioredis connection error is unhandled. </p> <p>Now let's checkout <a href="https://gitlab.com/nurahmedsabbir/redis-cache-mistake-demo/-/blob/fix-A/app.js?ref_type=heads#L52" rel="noopener noreferrer">another branch</a> where we handled redis connection errors :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Handle errors without crashing redis.on("error", (err) =&gt; { console.error("[ioredis] Connection error:", err.message); // Don't crash the app, just log the error }); </code></pre> </div> <p>Now, if we stop the Redis Docker container, the app doesn't crash anymore. We've made some progress. However, our requests are taking forever to get a response.</p> <p>Why is that? Because our configuration still isn't resilient to Redis outages. It keeps trying to connect to Redis indefinitely (ioredis default max retry attempt is 20, which is still too many—we don't want to retry so many times).</p> <p>Let's make it even <a href="https://gitlab.com/nurahmedsabbir/redis-cache-mistake-demo/-/tree/fix-final?ref_type=heads" rel="noopener noreferrer">better</a> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Redis connection const redis = new Redis({ host: process.env.REDIS_HOST || "redis", port: process.env.REDIS_PORT || 6379, password: process.env.REDIS_PASSWORD || "", connectTimeout: 100, // 100 millisecond timeout maxRetriesPerRequest: 1, // Try once and then move on }); </code></pre> </div> <p>Now, our application is resilient to Redis outages. It remains responsive even when Redis goes down.</p> <h2> Conclusion </h2> <p>Of course, you should implement high availability setups and use max-memory policies so that Redis doesn't go down in the first place. And if it does go down, there should be alerts in place. But a Redis cache outage shouldn't turn into a P0 incident for your application.</p> Simple Scalable Search Autocomplete Systems MD Nur Ahmed Fri, 10 Sep 2021 05:51:06 +0000 https://dev.to/mdnurahmed/simple-scalable-search-autocomplete-systems-1j18 https://dev.to/mdnurahmed/simple-scalable-search-autocomplete-systems-1j18 <p>Here I'll discuss 4 ways to build a simple scalable search autocomplete service that I know of and some pros and cons of each of them. </p> <h2> Requirements </h2> <ul> <li>One API for inserting texts/words that were searched by users. For example : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /insert { "search string" : "Harry Potter and the Prisoner of Azkaban" } </code></pre> </div> <ul> <li>One API for getting autocomplete suggestions as the user keeps typing. For example : </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /search?SearchString=potter </code></pre> </div> <ul> <li>One API to clear all searches made by the user. For Example - </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DELETE /delete </code></pre> </div> <ul> <li>The system should be able to return top N frequent relevant queries/searches.</li> <li>The system should be horizontally scalable using shards and read replicas. </li> <li>The calculations should be In-memory to make the system fast and real-time. </li> </ul> <h2> Way 1: Using SQL </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SELECT * FROM autocomplete WHERE search_items LIKE '%{SEARCH_STRING}% ORDER BY frequency DESC LIMIT 5'; </code></pre> </div> <p>PostgreSQL (and some other SQL databases) have LIKE operator which can be used to search patterns in text data. Percent sign (%) matches any sequence of zero or more characters. So %{SEARCH_STRING}% will return all rows in autocomplete table where {SEARCH_STRING} exists in any position of the search-items field. We would also want to get rid of less frequent search items before they pile up. There is no direct way to do this. We could have an "expire" field which we would update every time insert API is called, that is when a user searches something. Another process could periodically delete the expired items. This can do infix matching (i.e. matching terms at any position within the input). This is the simplest way to do this but this actually doesn't happen in memory. </p> <h2> Using Redis Sorted Set </h2> <p>Redis is an in-memory database. So we could try to exploit Redis's data structures to make a search autocomplete system. Salvatore Sanfilippo Antirez, the creator of Redis, wrote about 2 ways about how it could be done in his old blog post from 2010. You can read the <a href="http://oldblog.antirez.com/post/autocomplete-with-redis.html" rel="noopener noreferrer">original blog post</a> but here I'm gonna explain both of the ways. Both of the ways use sorted set data structure of Redis which is implemented using the skip list data structure under the hood.</p> <h3> Way 2: Using 1 Sorted Set </h3> <p>If any 2 members in a Redis's sorted set have an equal score they are sorted lexicographically. For each prefix in the search string, we'll store them in a sorted set with the same score. So, they will be lexicographically sorted in the set. To mark an end word we'll add '*' to it in the end. For example, if we searched "bangladesh" and "bangkok", our sorted set will look like this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 0 b 1 ba 2 ban 3 bang 4 bangk 5 bangko 6 bangkok 7 bangkok* 8 bangl 9 bangla 10 banglad 11 banglade 12 banglades 13 bangladesh 14 bangladesh* </code></pre> </div> <p>Each insertion in the sorted set happens at O(logN) complexity where N is the size of the sorted set. So total complexity of insert each time the insert API is called is O(L*logN) where L is the average length of a search string. We can use the <a href="https://redis.io/commands/zrank" rel="noopener noreferrer">ZRANK</a> command to find any member's index/position in the sorted set. We then can use <a href="https://redis.io/commands/zrange" rel="noopener noreferrer">ZRANGE</a> command to fetch M members from that position in O(M) complexity. If any fetched member has '*' in the end and it contains the search string as a prefix, then we can return it as a suggestion. <br> For example, if the user types 'bang' we can find the index of 'bang' in a sorted set, it's 3. Now if we fetch 12 items from position 3 we would fetch -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ bang,bangk,bangko,bangkok,bangkok*, bangl,bangla,banglad,banglade, banglades,bangladesh,bangladesh* ] </code></pre> </div> <p>Among these members bangkok* and bangladesh* has "bang" in the prefix and "*" in the end. So they can go into the suggestion. Our API would return [bangkok,bangladesh].<br> But this method cannot return top N frequent relevant searches. Also, there is no way to get rid of less frequent searched items. On top of that, this cannot do infix matching (i.e. matching terms at any position within the input). </p> <p><a href="https://github.com/mdnurahmed/autocomplete-with-redis-1" rel="noopener noreferrer">Here is my full code implementing this method</a></p> <h3> Way 3: Using Multiple Sorted Sets </h3> <p>For each prefix of the searched string, we'll have 1 sorted set. The searched string will be a member of each of those sorted sets. The score of each member will be the frequency. The complexity of insert here is L*log(N) where L average length of a search string, N is the size of the sorted set. For example, if we searched "bangladesh" 2 times and "bangkok" 3 times, our Redis would look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> |Sorted Set| Members | | ---------|---------------------------| |b | bangladesh:2 , bangkok:3 | |ba | bangladesh:2 , bangkok:3 | |ban | bangladesh:2 , bangkok:3 | |bang | bangladesh:2 , bangkok:3 | |bangk | bangladesh:2 , bangkok:3 | |bangko | bangladesh:2 , bangkok:3 | |bangkok | bangladesh:2 , bangkok:3 | |bangl | bangladesh:2 , bangkok:3 | |bangla | bangladesh:2 , bangkok:3 | |banglad | bangladesh:2 , bangkok:3 | |banglade | bangladesh:2 , bangkok:3 | |banglades | bangladesh:2 , bangkok:3 | |bangladesh| bangladesh:2 , bangkok:3 | </code></pre> </div> <p>So if the user types 'bang' we can fetch top N frequent items easily from the sorted set 'bang' using the <a href="https://redis.io/commands/zrevrange" rel="noopener noreferrer">ZREVRANGE</a> command as our suggestions are sorted according to frequency. We can also use <a href="https://redis.io/commands/expire" rel="noopener noreferrer">EXPIRE</a> command to delete sorted sets containing less frequent search items. <br> Now we need to cap the length of the sorted set. We cannot let it reach infinite length. For the top 5 suggestions, keeping 300 elements is quite enough. Whenever a new member would come in the sorted set we'll pop the element with the lowest score and insert the new element with a score equal to the popped element's score plus 1. So this new element would have a chance to rise to the top. Now, this is a stream-based algorithm. So the accuracy of this algorithm depends on the distribution of input. If all the strings have very close frequency this might not be very accurate. But in the case of searching problems, usually, a small subset occupies a big percentage of all the searches. So in a real-life scenario, this will be very feasible. But this also can not do infix matching.</p> <p><a href="https://github.com/mdnurahmed/autocomplete-with-redis-2" rel="noopener noreferrer">Here is my full code implementing this method</a></p> <h2> Way 4: Using Elasticsearch </h2> <p>There are multiple ways to do it using Elasticsearch. But almost all of them does most of the work at query time and are not guaranteed to be in memory. Except if we map our field as <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.x/search-as-you-type.html" rel="noopener noreferrer">search_as_you_type</a> data type. Then this does most of the work at index time by updating in-memory Finite State Transducers which are a variant of the trie data structure. Also, this can do infix matching. This is the most efficient way to solve this problem.<br> our mapping would look like this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "mappings":{ "properties":{ "search-text":{ "type":"search_as_you_type" }, "frequency":{ "type":"long" }, "expire":{ "type":"long" } } } } </code></pre> </div> <p>"frequency" is the frequency of the search-text, so we can fetch top N relevant searches. "expire" field can be used to delete expired less frequent items by another process. </p> <p>We don't want one search to appear multiple times in the database. One way to solve this is to use the hash of the search string as the document ID. </p> <p>Our insert operation will be an upsert operation where we would increase the "frequency" of the document and update the "expire" field if it already exists or insert the document if it doesn't exist. We can take help of the "script" field for this -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST autocomplete/_update/{DOCUMENT_ID} { "script":{ "source":"ctx._source.frequency++;ctx._source.expire={EXPIRE_TIME}", "lang":"painless" }, "upsert":{ "search-text":"{SEARCH_STRING}", "frequency":1, "expire":"{EXPIRE_TIME}" } } </code></pre> </div> <p>In search API we want to fetch the top N relevant element sorted by frequency -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /autocomplete/_search { "size":5, "sort":[ { "frequency":"desc" } ], "query":{ "multi_match":{ "query":{SEARCH_STRING}, "type":"bool_prefix", "fields":[ "search-text", "search-text._2gram", "search-text._3gram" ] } } } </code></pre> </div> <p><a href="https://github.com/mdnurahmed/autocomplete-with-elasticsearch" rel="noopener noreferrer">Here is my full code implementing this method.</a></p> <h2> Conclusion : </h2> <p>Thanks a lot for taking your time to read it. Let me know what you think of it in the comment. Let me know if there are any other solutions you know of or how I could improve my solutions. Any feedback is welcome. </p> go redis elasticsearch sql