The latest articles on DEV Community by Paweł Swiridow (@pawe_swiridow_6f6c8bbf53). https://dev.to/pawe_swiridow_6f6c8bbf53 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3263513%2F3ff72825-3ee6-48a9-a37a-58dda35c3d22.png https://dev.to/pawe_swiridow_6f6c8bbf53 en Paweł Swiridow Wed, 28 Jan 2026 11:00:00 +0000 https://dev.to/u11d/decoupling-ingress-with-targetgroupbinding-in-eks-2409 https://dev.to/u11d/decoupling-ingress-with-targetgroupbinding-in-eks-2409 <p>As we scale our EKS clusters, relying solely on Kubernetes Ingress objects to provision AWS Application Load Balancers (ALBs) can become restrictive. Sometimes we need to attach an EKS Service to a pre-existing ALB managed by Terraform, or we need complex routing rules that are easier to manage in HCL (Terraform) than in K8s annotations.</p> <p>The <strong>AWS Load Balancer Controller</strong> supports a custom resource called <code>TargetGroupBinding</code> (TGB). This allows us to provision the Load Balancer and Target Group in Terraform (Infrastructure layer) and simply "bind" our Kubernetes Service to it at runtime (Application layer).</p> <p>This guide walks through how to set up an AWS Target Group in Terraform and register a <strong>Prometheus</strong> instance to it using Helm values.</p> <h3> Prerequisites </h3> <p>Before proceeding, ensure your environment meets the following requirements. This architecture relies on specific AWS components to route traffic directly to Pods:</p> <ul> <li> <strong>Amazon EKS Cluster:</strong> A running EKS cluster is required.</li> <li> <strong>AWS VPC CNI Plugin:</strong> We will be using <code>target_type = "ip"</code>. This mode requires the <strong>AWS VPC CNI</strong> (the default networking plugin for EKS), which assigns native AWS VPC IP addresses to Pods. This allows the ALB to route traffic directly to the Pod IP, bypassing the worker node's kube-proxy.</li> <li> <strong>AWS Load Balancer Controller:</strong> You must have the <strong>AWS Load Balancer Controller</strong> (v2.0+) installed and running in your cluster. This controller is responsible for installing the <code>TargetGroupBinding</code> CRD and actively managing the registration of targets. <ul> <li> <em>Note:</em> Ensure the controller has the necessary IAM permissions to <code>elasticloadbalancing:RegisterTargets</code> and <code>elasticloadbalancing:DeregisterTargets</code>.</li> </ul> </li> </ul> <h2> Part 1: Infrastructure (Terraform) </h2> <p>First, we need to create the Target Group. The critical setting here is <code>target_type = "ip"</code>.</p> <p>When using the AWS Load Balancer Controller with the AWS VPC CNI, we want the ALB to send traffic directly to the Pod IP addresses, bypassing NodePorts.</p> <h3> <code>main.tf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"prometheus_tg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eks-prometheus-tg"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">9090</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="c1"># CRITICAL: Must be 'ip' for direct Pod routing via AWS LB Controller</span> <span class="nx">target_type</span> <span class="p">=</span> <span class="s2">"ip"</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/-/healthy"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200"</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># We need to export this ARN to pass it to our Helm chart later</span> <span class="nx">output</span> <span class="s2">"prometheus_tg_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">prometheus_tg</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p><strong>Note:</strong> Do not use <code>aws_lb_target_group_attachment</code> in Terraform. The AWS Load Balancer Controller running inside the cluster will manage the targets dynamically as Pods come and go.</p> <h2> Part 2: Security (IAM Least Privilege) </h2> <p>By default, the generic AWS Load Balancer Controller policy is permissive (often using <code>Resource: *</code>). In a production environment - especially one with multiple teams sharing an AWS account - we should adhere to <strong>Least Privilege</strong>.</p> <p>We must restrict the Controller's ability so it can <strong>only</strong> register/deregister targets for this specific Target Group, preventing it from accidentally modifying other Load Balancers.</p> <p>Add this policy to the IAM Role used by your Load Balancer Controller ServiceAccount:</p> <h3> <code>iam.tf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">data "aws_iam_policy_document" "lb_controller_tgb_policy" {</span> <span class="s">statement {</span> <span class="s">sid = "AllowRegisterTargets"</span> <span class="s">effect = "Allow"</span> <span class="s">actions = [</span> <span class="s">"elasticloadbalancing:RegisterTargets",</span> <span class="s">"elasticloadbalancing:DeregisterTargets"</span> <span class="s">]</span> <span class="s"># Scope permissions strictly to the specific Target Group ARN created above</span> <span class="s">resources = [aws_lb_target_group.prometheus_tg.arn]</span> <span class="s">}</span> <span class="s">statement {</span> <span class="s">sid = "AllowDescribeHealth"</span> <span class="s">effect = "Allow"</span> <span class="s">actions = [</span> <span class="s">"elasticloadbalancing:DescribeTargetHealth"</span> <span class="s">]</span> <span class="s">resources = [aws_lb_target_group.prometheus_tg.arn]</span> <span class="s">}</span> <span class="err">}</span> <span class="s">resource "aws_iam_policy" "tgb_strict_policy" {</span> <span class="s">name = "eks-alb-controller-tgb-restricted"</span> <span class="s">description = "Restricted access for TargetGroupBinding to specific TGs only"</span> <span class="s">policy = data.aws_iam_policy_document.lb_controller_tgb_policy.json</span> <span class="err">}</span> </code></pre> </div> <h2> <strong>Part 3: The Glue (TargetGroupBinding CRD)</strong> </h2> <p>The <code>TargetGroupBinding</code> CRD tells the controller: <em>"Watch this Kubernetes Service, and whenever its endpoints change, update this specific AWS Target Group."</em></p> <p>A raw TGB manifest looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">elbv2.k8s.aws/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TargetGroupBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-tgb</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-k8s</span> <span class="c1"># The name of your K8s Service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9090</span> <span class="c1"># The port defined in the Service</span> <span class="na">targetGroupARN</span><span class="pi">:</span> <span class="s">&lt;YOUR_TF_OUTPUT_ARN&gt;</span> </code></pre> </div> <h2> Part 4: Application Deployment (Prometheus Helm Values) </h2> <p>We don't want to apply that YAML manually. We want it version-controlled with our Prometheus deployment.</p> <p>Most Prometheus Helm charts (like <code>kube-prometheus-stack</code>) support an <code>extraManifests</code> or <code>additionalManifests</code> property in their <code>values.yaml</code>. This allows us to inject arbitrary K8s objects-like our TGB-directly during the Helm install.</p> <p>Here is how you configure your <code>values.yaml</code> to register Prometheus to the Terraform-managed Target Group.</p> <h3> <code>values.yaml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Configuration for kube-prometheus-stack</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9090</span> <span class="c1"># Ensure the service selector matches what the TGB expects</span> <span class="c1"># usually standard, but good to verify.</span> <span class="c1"># Injecting the Custom Resource Definition</span> <span class="na">extraManifests</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">elbv2.k8s.aws/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TargetGroupBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-binding</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="c1"># Must match the release namespace</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-kube-prometheus-prometheus</span> <span class="c1"># Default name in the stack</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">targetGroupARN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/eks-prometheus-tg/6d0ecf831eec9f09"</span> </code></pre> </div> <h2> <strong>Summary of Flow</strong> </h2> <ol> <li> <strong>Terraform</strong> creates the empty Target Group (Mode: IP).</li> <li> <strong>Helm</strong> deploys Prometheus + the <code>TargetGroupBinding</code> CR.</li> <li> <strong>AWS Load Balancer Controller</strong> sees the new Binding CR.</li> <li> <strong>Controller</strong> looks up the Pod IPs backing the Prometheus Service.</li> <li> <strong>Controller</strong> registers those Pod IPs into the AWS Target Group automatically.</li> </ol> <p>This approach gives us the stability of Terraform-managed Infrastructure (the ALB and Listeners) with the flexibility of Kubernetes-managed endpoints.</p> aws terraform kubernetes Paweł Swiridow Mon, 22 Sep 2025 09:07:05 +0000 https://dev.to/u11d/secure-aws-access-in-kubernetes-transitioning-from-secrets-to-irsa-or-pod-identity-4i68 https://dev.to/u11d/secure-aws-access-in-kubernetes-transitioning-from-secrets-to-irsa-or-pod-identity-4i68 <p>Traditional approaches to AWS authorization from Kubernetes involved creating IAM users with permanent access keys and storing these credentials within the cluster. Modern solutions eliminate stored credentials entirely, using temporary tokens that expire automatically and follow the principle of least privilege.<br> Think of it like upgrading from physical keys to smart cards for your Kubernetes workloads - instead of storing a master key in every pod, your containers get temporary access cards that only work for specific resources and expire automatically.</p> <h2> The old way: stored credentials (what to avoid) </h2> <p>Before diving into modern solutions, let's understand what we're moving away from. Traditional approaches to AWS access from Kubernetes typically involved:</p> <ol> <li> <strong>Create IAM users</strong> with access keys (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)</li> <li> <strong>Store these credentials</strong> in Kubernetes secrets, environment variables, or config files</li> <li> <strong>Hardcode them</strong> in container images or application code</li> </ol> <p>Here's what this looked like in a typical Kubernetes deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">ABCDEF</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">GHIJKL</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ACCESS_KEY_ID</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">AWS_ACCESS_KEY_ID</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_SECRET_ACCESS_KEY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">AWS_SECRET_ACCESS_KEY</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">us-west-2"</span> </code></pre> </div> <p>This approach creates several security and operational challenges in Kubernetes environments:</p> <p><strong>Security risks:</strong></p> <ul> <li>Long-lived credentials don't expire automatically</li> <li>Keys can be extracted from running containers or Kubernetes secrets</li> <li>Credential leaks provide persistent access until manually revoked</li> <li>Difficult to audit credential usage across pods and namespaces</li> </ul> <p><strong>Operational challenges:</strong></p> <ul> <li>Manual key rotation across all pods and clusters</li> <li>Credential sprawl as keys get copied across namespaces and environments</li> <li>Complex secret management across multiple Kubernetes clusters</li> </ul> <h2> Modern authorization methods for Kubernetes </h2> <p>Modern AWS authorization from Kubernetes eliminates stored credentials by using temporary tokens that are automatically refreshed. Two primary solutions exist for Kubernetes-to-AWS authentication:</p> <h3> IRSA (IAM roles for service accounts) </h3> <p>IRSA uses OpenID Connect (OIDC) to bridge Kubernetes service accounts with AWS IAM roles. When a pod needs AWS access, it presents a JWT token that AWS validates through the cluster's OIDC provider, receiving temporary credentials in return.</p> <p><strong>How it works:</strong></p> <ol> <li>Pod receives a JWT token from the Kubernetes API server automatically</li> <li>AWS SDK includes this token in API requests</li> <li>AWS STS validates the token through the EKS cluster's OIDC provider</li> <li>STS returns temporary AWS credentials to the pod</li> <li>Pod uses these credentials to access AWS services</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbppog6xb7598gn0x5huj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbppog6xb7598gn0x5huj.png" alt="IRSA diagram" width="800" height="1467"></a></p> <h3> EKS pod identity </h3> <p>EKS Pod Identity is AWS's newer approach, using a cluster add-on that handles credential exchange automatically. A Pod Identity agent runs as a DaemonSet on each Kubernetes node, intercepting AWS API calls and fetching credentials from AWS's Pod Identity service.</p> <p><strong>How it works:</strong></p> <ol> <li>Pod makes AWS API calls through the AWS SDK</li> <li>Pod Identity agent (running as DaemonSet) intercepts these calls</li> <li>Agent requests credentials from the EKS Pod Identity service</li> <li>Service returns temporary credentials to the agent</li> <li>Original API call proceeds with valid credentials</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe7lvky0lo013tzxfasy2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe7lvky0lo013tzxfasy2.png" alt="EKS Pod Identity diagram" width="800" height="1782"></a></p> <h2> Implementation with Terraform </h2> <p>Let's implement both approaches using consistent IAM policies. We'll use a common S3 access policy for both examples that pods can use to access AWS services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"kubernetes-app-s3-access"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"S3 access policy for Kubernetes applications"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::my-k8s-app-bucket/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::my-k8s-app-bucket"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Setting up IRSA for EKS </h3> <p>Configure your EKS cluster with OIDC enabled to support IRSA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 19.0.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"my-k8s-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="c1"># create an OpenID Connect Provider for EKS to enable IRSA (IAM Roles for Service Accounts)</span> <span class="nx">enable_irsa</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Create the IAM role that your Kubernetes service account will assume:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"irsa_role"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"k8s-app-irsa-role"</span> <span class="nx">role_policy_arns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">s3_access</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_access</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"default:k8s-app-service-account"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Setting up EKS pod identity </h3> <p>Enable the Pod Identity add-on in your EKS cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 19.0.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"my-k8s-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">eks-pod-identity-agent</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="s2">"v1.3.4-eksbuild.1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Create the Pod Identity association to link your Kubernetes service account with AWS permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"pod_identity"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks-pod-identity/aws"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"k8s-app-pod-identity"</span> <span class="nx">additional_policy_arns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">S3Access</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_access</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">associations</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="s2">"k8s-app-service-account"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Kubernetes manifests </h2> <h3> IRSA application deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/k8s-app-irsa-role</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-irsa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-irsa</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-irsa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">us-west-2"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <h3> Pod identity application deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-pod-identity</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-pod-identity</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-pod-identity</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">us-west-2"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Notice how both modern approaches eliminate the need for stored credentials entirely in your Kubernetes cluster. The Pod Identity deployment is even simpler, requiring no special annotations on the service account.</p> <h2> Comparing modern approaches for Kubernetes </h2> <h3> IRSA strengths and limitations </h3> <p><strong>Strengths:</strong></p> <ul> <li>Works with any Kubernetes cluster, not just EKS</li> <li>Mature technology with extensive community support</li> <li>Fine-grained control over JWT token configuration</li> <li>Compatible with other OIDC-based systems and service meshes</li> </ul> <p><strong>Limitations:</strong></p> <ul> <li>More complex setup and troubleshooting in Kubernetes</li> <li>Requires OIDC provider configuration at the cluster level</li> <li>JWT tokens can become large and cause issues with some applications</li> <li>Manual annotation management required for each service account</li> </ul> <h3> Pod identity strengths and limitations </h3> <p><strong>Strengths:</strong></p> <ul> <li>Simplified setup and ongoing management in EKS</li> <li>Native AWS integration with better performance</li> <li>Automatic credential refresh and rotation handled by the agent</li> <li>Built-in audit logging capabilities through CloudTrail</li> <li>No JWT token size limitations or complexity</li> </ul> <p><strong>Limitations:</strong></p> <ul> <li>EKS-only solution, not portable to other Kubernetes distributions</li> <li>Newer technology with less community knowledge and troubleshooting guides</li> <li>Requires EKS cluster version 1.24 or higher</li> <li>Less customization flexibility compared to OIDC-based approaches</li> </ul> <h2> Security best practices for Kubernetes workloads </h2> <p>Regardless of which modern approach you choose for your Kubernetes cluster, follow these security principles:</p> <p><strong>Principle of least privilege:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="c1"># Good: Specific permissions for specific resources used by pods</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"restricted_s3"</span> <span class="p">{</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::k8s-specific-bucket/app-folder/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Avoid: Overly broad permissions that pods don't need</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"too_broad"</span> <span class="p">{</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:*"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Additional security measures for Kubernetes:</strong></p> <ul> <li>Use Kubernetes namespace isolation to limit service account scope</li> <li>Implement regular auditing of role usage and permissions across clusters</li> <li>Monitor credential usage through AWS CloudTrail and Kubernetes audit logs</li> <li>Set up alerts for unusual access patterns from pods</li> <li>Use Kubernetes Network Policies to restrict pod-to-pod communication</li> <li>Regularly review and rotate any remaining long-lived credentials in your cluster</li> </ul> <h2> Choosing the right approach </h2> <p><strong>Choose IRSA when:</strong></p> <ul> <li>You need multi-cloud or hybrid Kubernetes support</li> <li>You have complex OIDC integration requirements</li> <li>Your team has existing IRSA expertise</li> <li>You need fine-grained token control</li> </ul> <p><strong>Choose Pod Identity when:</strong></p> <ul> <li>You're using EKS exclusively</li> <li>You want simplified management overhead</li> <li>You're starting new projects from scratch</li> <li>You prefer AWS-native solutions</li> </ul> <p><strong>Migrate from stored credentials when:</strong></p> <ul> <li>You're currently using long-lived access keys</li> <li>You want to improve security posture</li> <li>You need better credential rotation</li> <li>You want to reduce operational overhead</li> </ul> <h2> Conclusion </h2> <p>Modern AWS authorization methods eliminate the security risks and operational complexity of stored credentials in Kubernetes environments. Both IRSA and EKS Pod Identity provide secure, temporary credential access that follows cloud security best practices while integrating seamlessly with Kubernetes workflows.</p> <p>For new EKS projects, Pod Identity offers the simplest path forward with native AWS integration and reduced management overhead. For existing Kubernetes environments or multi-platform requirements, IRSA provides proven reliability and flexibility across different cluster types.</p> <p>The most important step is moving away from stored credentials entirely in your Kubernetes clusters. Choose the modern approach that best fits your team's expertise and infrastructure requirements - both represent significant improvements over traditional credential management and will enhance your cluster's security posture while simplifying operations.</p> kubernetes aws terraform security Paweł Swiridow Mon, 22 Sep 2025 07:00:00 +0000 https://dev.to/u11d/secure-aws-access-in-kubernetes-transitioning-from-secrets-to-irsa-or-pod-identity-1im7 https://dev.to/u11d/secure-aws-access-in-kubernetes-transitioning-from-secrets-to-irsa-or-pod-identity-1im7 <p>Traditional approaches to AWS authorization from Kubernetes involved creating IAM users with permanent access keys and storing these credentials within the cluster. Modern solutions eliminate stored credentials entirely, using temporary tokens that expire automatically and follow the principle of least privilege.<br> Think of it like upgrading from physical keys to smart cards for your Kubernetes workloads - instead of storing a master key in every pod, your containers get temporary access cards that only work for specific resources and expire automatically.</p> <h2> The old way: stored credentials (what to avoid) </h2> <p>Before diving into modern solutions, let's understand what we're moving away from. Traditional approaches to AWS access from Kubernetes typically involved:</p> <ol> <li> <strong>Create IAM users</strong> with access keys (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)</li> <li> <strong>Store these credentials</strong> in Kubernetes secrets, environment variables, or config files</li> <li> <strong>Hardcode them</strong> in container images or application code</li> </ol> <p>Here's what this looked like in a typical Kubernetes deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">ABCDEF</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">GHIJKL</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">legacy-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ACCESS_KEY_ID</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">AWS_ACCESS_KEY_ID</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_SECRET_ACCESS_KEY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">AWS_SECRET_ACCESS_KEY</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">us-west-2"</span> </code></pre> </div> <p>This approach creates several security and operational challenges in Kubernetes environments:</p> <p><strong>Security risks:</strong></p> <ul> <li>Long-lived credentials don't expire automatically</li> <li>Keys can be extracted from running containers or Kubernetes secrets</li> <li>Credential leaks provide persistent access until manually revoked</li> <li>Difficult to audit credential usage across pods and namespaces</li> </ul> <p><strong>Operational challenges:</strong></p> <ul> <li>Manual key rotation across all pods and clusters</li> <li>Credential sprawl as keys get copied across namespaces and environments</li> <li>Complex secret management across multiple Kubernetes clusters</li> </ul> <h2> Modern authorization methods for Kubernetes </h2> <p>Modern AWS authorization from Kubernetes eliminates stored credentials by using temporary tokens that are automatically refreshed. Two primary solutions exist for Kubernetes-to-AWS authentication:</p> <h3> IRSA (IAM roles for service accounts) </h3> <p>IRSA uses OpenID Connect (OIDC) to bridge Kubernetes service accounts with AWS IAM roles. When a pod needs AWS access, it presents a JWT token that AWS validates through the cluster's OIDC provider, receiving temporary credentials in return.</p> <p><strong>How it works:</strong></p> <ol> <li>Pod receives a JWT token from the Kubernetes API server automatically</li> <li>AWS SDK includes this token in API requests</li> <li>AWS STS validates the token through the EKS cluster's OIDC provider</li> <li>STS returns temporary AWS credentials to the pod</li> <li>Pod uses these credentials to access AWS services</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh1nxbz0miwm5kq49qp7t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh1nxbz0miwm5kq49qp7t.png" alt="pod-identity-vs-irsa-image-1.png" width="800" height="508"></a></p> <h3> EKS pod identity </h3> <p>EKS Pod Identity is AWS's newer approach, using a cluster add-on that handles credential exchange automatically. A Pod Identity agent runs as a DaemonSet on each Kubernetes node, intercepting AWS API calls and fetching credentials from AWS's Pod Identity service.</p> <p><strong>How it works:</strong></p> <ol> <li>Pod makes AWS API calls through the AWS SDK</li> <li>Pod Identity agent (running as DaemonSet) intercepts these calls</li> <li>Agent requests credentials from the EKS Pod Identity service</li> <li>Service returns temporary credentials to the agent</li> <li>Original API call proceeds with valid credentials</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2trda2ie9fccc7z0b0ha.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2trda2ie9fccc7z0b0ha.png" alt="Pod identity block diagram" width="800" height="508"></a></p> <h2> Implementation with Terraform </h2> <p>Let's implement both approaches using consistent IAM policies. We'll use a common S3 access policy for both examples that pods can use to access AWS services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"kubernetes-app-s3-access"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"S3 access policy for Kubernetes applications"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::my-k8s-app-bucket/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::my-k8s-app-bucket"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Setting up IRSA for EKS </h3> <p>Configure your EKS cluster with OIDC enabled to support IRSA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 19.0.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"my-k8s-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="c1"># create an OpenID Connect Provider for EKS to enable IRSA (IAM Roles for Service Accounts)</span> <span class="nx">enable_irsa</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Create the IAM role that your Kubernetes service account will assume:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"irsa_role"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"k8s-app-irsa-role"</span> <span class="nx">role_policy_arns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">s3_access</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_access</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"default:k8s-app-service-account"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Setting up EKS pod identity </h3> <p>Enable the Pod Identity add-on in your EKS cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 19.0.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"my-k8s-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.28"</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">eks-pod-identity-agent</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="s2">"v1.3.4-eksbuild.1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Kubernetes manifests </h2> <h3> IRSA application deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/k8s-app-irsa-role</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-irsa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-irsa</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-irsa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">us-west-2"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Pod identity application deployment<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8s-app-pod-identity</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-pod-identity</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">k8s-app-pod-identity</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">k8s-app-service-account</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">us-west-2"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Notice how both modern approaches eliminate the need for stored credentials entirely in your Kubernetes cluster. The Pod Identity deployment is even simpler, requiring no special annotations on the service account.</p> <h2> Comparing modern approaches for Kubernetes </h2> <h3> IRSA strengths and limitations </h3> <p><strong>Strengths:</strong></p> <ul> <li>Works with any Kubernetes cluster, not just EKS</li> <li>Mature technology with extensive community support</li> <li>Fine-grained control over JWT token configuration</li> <li>Compatible with other OIDC-based systems and service meshes</li> </ul> <p><strong>Limitations:</strong></p> <ul> <li>More complex setup and troubleshooting in Kubernetes</li> <li>Requires OIDC provider configuration at the cluster level</li> <li>JWT tokens can become large and cause issues with some applications</li> <li>Manual annotation management required for each service account</li> </ul> <h3> Pod identity strengths and limitations </h3> <p><strong>Strengths:</strong></p> <ul> <li>Simplified setup and ongoing management in EKS</li> <li>Native AWS integration with better performance</li> <li>Automatic credential refresh and rotation handled by the agent</li> <li>Built-in audit logging capabilities through CloudTrail</li> <li>No JWT token size limitations or complexity</li> </ul> <p><strong>Limitations:</strong></p> <ul> <li>EKS-only solution, not portable to other Kubernetes distributions</li> <li>Newer technology with less community knowledge and troubleshooting guides</li> <li>Requires EKS cluster version 1.24 or higher</li> <li>Less customization flexibility compared to OIDC-based approaches</li> </ul> <h2> Security best practices for Kubernetes workloads </h2> <p>Regardless of which modern approach you choose for your Kubernetes cluster, follow these security principles:</p> <p><strong>Principle of least privilege:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="c1"># Good: Specific permissions for specific resources used by pods</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"restricted_s3"</span> <span class="p">{</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:s3:::k8s-specific-bucket/app-folder/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Avoid: Overly broad permissions that pods don't need</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"too_broad"</span> <span class="p">{</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:*"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Additional security measures for Kubernetes:</strong></p> <ul> <li>Use Kubernetes namespace isolation to limit service account scope</li> <li>Implement regular auditing of role usage and permissions across clusters</li> <li>Monitor credential usage through AWS CloudTrail and Kubernetes audit logs</li> <li>Set up alerts for unusual access patterns from pods</li> <li>Use Kubernetes Network Policies to restrict pod-to-pod communication</li> <li>Regularly review and rotate any remaining long-lived credentials in your cluster</li> </ul> <h2> Choosing the right approach </h2> <p><strong>Choose IRSA when:</strong></p> <ul> <li>You need multi-cloud or hybrid Kubernetes support</li> <li>You have complex OIDC integration requirements</li> <li>Your team has existing IRSA expertise</li> <li>You need fine-grained token control</li> </ul> <p><strong>Choose Pod Identity when:</strong></p> <ul> <li>You're using EKS exclusively</li> <li>You want simplified management overhead</li> <li>You're starting new projects from scratch</li> <li>You prefer AWS-native solutions</li> </ul> <p><strong>Migrate from stored credentials when:</strong></p> <ul> <li>You're currently using long-lived access keys</li> <li>You want to improve security posture</li> <li>You need better credential rotation</li> <li>You want to reduce operational overhead</li> </ul> <h2> Conclusion </h2> <p>Modern AWS authorization methods eliminate the security risks and operational complexity of stored credentials in Kubernetes environments. Both IRSA and EKS Pod Identity provide secure, temporary credential access that follows cloud security best practices while integrating seamlessly with Kubernetes workflows.</p> <p>For new EKS projects, Pod Identity offers the simplest path forward with native AWS integration and reduced management overhead. For existing Kubernetes environments or multi-platform requirements, IRSA provides proven reliability and flexibility across different cluster types.</p> <p>The most important step is moving away from stored credentials entirely in your Kubernetes clusters. Choose the modern approach that best fits your team's expertise and infrastructure requirements - both represent significant improvements over traditional credential management and will enhance your cluster's security posture while simplifying operations.</p> aws kubernetes devops infrastructureascode Paweł Swiridow Thu, 18 Sep 2025 08:33:05 +0000 https://dev.to/u11d/configuring-eks-managed-node-groups-to-use-a-proxy-with-terraform-4n8j https://dev.to/u11d/configuring-eks-managed-node-groups-to-use-a-proxy-with-terraform-4n8j <p>In enterprise environments, security and network policies are paramount. It's common practice for servers, including Kubernetes worker nodes, to reside in private subnets with no direct outbound internet access. Instead, all egress traffic must be routed through a centrally managed and monitored HTTP/HTTPS proxy. While this enhances security, it introduces a configuration challenge for services like Amazon EKS, which need to pull container images, communicate with AWS APIs, and perform other bootstrap tasks.</p> <p>When using the popular <a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/" rel="noopener noreferrer"><code>terraform-aws-modules/eks/aws</code></a> module to provision your cluster, you need a reliable, automated way to inject this proxy configuration into your managed node groups. The goal is to ensure that the operating system, the container runtime (<code>containerd</code>), and the Kubernetes components themselves are all proxy-aware from the moment they boot.</p> <p>This article details a robust solution using the <code>cloudinit_pre_nodeadm</code> hook provided by the module to configure your EKS nodes for a proxy environment.</p> <h3> The core challenge: comprehensive proxy awareness </h3> <p>Simply setting <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code> environment variables is not enough. A modern EKS node, built on the Amazon Linux 2 EKS Optimized AMI, has several key components that must be configured independently:</p> <ol> <li> <strong>The Base Operating System:</strong> For shell sessions and general system utilities.</li> <li> <strong>The Container Runtime (<code>containerd</code>):</strong> This is critical. Without proxy settings, <code>containerd</code> will fail to pull any images from public registries like Docker Hub or even private registries outside the VPC, such as Amazon ECR.</li> <li> <strong>The EKS Bootstrap Process (<code>nodeadm</code>):</strong> The new bootstrapping agent for EKS AMIs needs to communicate with the EKS control plane. This communication should bypass the proxy.</li> <li> <strong>Package Managers (<code>yum</code>):</strong> If you need to install any additional packages as part of your user data, <code>yum</code> must also be configured to use the proxy.</li> </ol> <p>The solution is to use a <code>cloud-init</code> script that runs before the main EKS bootstrapping logic, ensuring the entire environment is correctly configured before any Kubernetes processes are started.</p> <h3> Understanding the bootstrap hook: <code>cloudinit_pre_nodeadm</code> </h3> <p>Before diving into the code, it's essential to understand the mechanism we're using. The name <code>cloudinit_pre_nodeadm</code> breaks down into two key concepts:</p> <ul> <li> <strong><code>cloud-init</code></strong>: This is the de facto industry standard for early-stage initialization of cloud instances. When a new EC2 instance boots for the first time, it runs <code>cloud-init</code>, which executes a series of user-provided instructions (user data) to configure the operating system, install packages, create files, and set up users before the machine is considered fully "ready".</li> <li> <strong><code>nodeadm</code></strong>: Starting with the EKS Optimized Amazon Linux 2023 AMI, <code>nodeadm</code> is the official bootstrap agent responsible for configuring a node and joining it to an EKS cluster. It handles tasks like retrieving cluster certificates, configuring the <code>kubelet</code>, and applying node labels and taints. It has replaced the legacy <code>bootstrap.sh</code> script.</li> </ul> <p>The <code>cloudinit_pre_nodeadm</code> parameter, provided by the <a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/" rel="noopener noreferrer"><code>terraform-aws-modules/eks/aws</code></a> module, is a powerful hook that lets you run a custom <code>cloud-init</code> script at a precise moment: <strong>after basic OS initialization but <em>before</em> the <code>nodeadm</code> service is started.</strong></p> <p>This timing is critical. By executing our script <em>before</em> <code>nodeadm</code>, we ensure that the foundational network environment—including our proxy settings—is already in place. When <code>nodeadm</code>, <code>containerd</code>, and the <code>kubelet</code> eventually start, they inherit the correct configuration from the environment, allowing them to function properly within the restricted network.</p> <h3> The solution: using <code>cloudinit_pre_nodeadm</code> in Terraform </h3> <p>Our solution will pass the Kubernetes service CIDR from our Terraform configuration directly into the user data script. This removes hardcoded values and makes the solution reusable across different clusters.</p> <p>Here is the Terraform code block that implements the complete proxy configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>module <span class="s2">"eks"</span> <span class="o">{</span> <span class="nb">source</span> <span class="o">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> version <span class="o">=</span> <span class="s2">"~&gt; 21.0"</span> <span class="c"># Define the service CIDR for the cluster</span> cluster_service_ipv4_cidr <span class="o">=</span> <span class="s2">"10.100.0.0/16"</span> <span class="c"># ... other EKS cluster configuration ...</span> eks_managed_node_groups <span class="o">=</span> <span class="o">{</span> main_nodes <span class="o">=</span> <span class="o">{</span> <span class="c"># ... other node group configuration like instance_types, min_size, etc. ...</span> cloudinit_pre_nodeadm <span class="o">=</span> <span class="o">[</span> <span class="o">{</span> content_type <span class="o">=</span> <span class="s2">"text/x-shellscript"</span> content <span class="o">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> #!/bin/bash set -ex # Define your proxy endpoint PROXY="http://your-proxy-url:3128" # standard proxy port # Use IMDSv2 to securely fetch instance metadata TOKEN=`curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` MAC=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-H</span> <span class="s2">"X-aws-ec2-metadata-token: </span><span class="nv">$TOKEN</span><span class="s2">"</span> http://169.254.169.254/latest/meta-data/mac<span class="si">)</span><span class="sh"> VPC_CIDR=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-H</span> <span class="s2">"X-aws-ec2-metadata-token: </span><span class="nv">$TOKEN</span><span class="s2">"</span> http://169.254.169.254/latest/meta-data/network/interfaces/macs/<span class="nv">$MAC</span>/vpc-ipv4-cidr-blocks | xargs | <span class="nb">tr</span> <span class="s1">' '</span> <span class="s1">','</span><span class="si">)</span><span class="sh"> K8S_SERVICE_CIDR="</span><span class="k">${</span><span class="nv">module</span><span class="p">.eks.cluster_service_ipv4_cidr</span><span class="k">}</span><span class="sh">" # Define your NO_PROXY list. This is critical for internal and AWS service communication. # You might need to add your Pod CIDR as well. NO_PROXY="</span><span class="nv">$VPC_CIDR</span><span class="sh">,</span><span class="nv">$K8S_SERVICE_CIDR</span><span class="sh">,localhost,127.0.0.1,169.254.169.254,.amazonaws.com,.svc.cluster.local,.svc,.cluster.local" # 1. Configure system-wide proxy settings echo "Setting up /etc/environment" cat &lt;&lt; EOF &gt; /etc/environment HTTP_PROXY=</span><span class="nv">$PROXY</span><span class="sh"> HTTPS_PROXY=</span><span class="nv">$PROXY</span><span class="sh"> NO_PROXY=</span><span class="nv">$NO_PROXY</span><span class="sh"> http_proxy=</span><span class="nv">$PROXY</span><span class="sh"> https_proxy=</span><span class="nv">$PROXY</span><span class="sh"> no_proxy=</span><span class="nv">$NO_PROXY</span><span class="sh"> EOF # 2. Configure containerd proxy via systemd override echo "Configuring containerd service" mkdir -p /etc/systemd/system/containerd.service.d cat &lt;&lt; EOF &gt; /etc/systemd/system/containerd.service.d/http-proxy.conf [Service] EnvironmentFile=/etc/environment EOF # 3. Configure nodeadm proxy via systemd override echo "Configuring nodeadm service" mkdir -p /etc/systemd/system/nodeadm.service.d cat &lt;&lt; EOF &gt; /etc/systemd/system/nodeadm.service.d/http-proxy.conf [Service] EnvironmentFile=/etc/environment EOF # 4. Configure yum proxy echo "Configuring yum" echo "proxy=</span><span class="nv">$PROXY</span><span class="sh">" &gt;&gt; /etc/yum.conf # 5. Reload systemd daemon and restart containerd to apply changes echo "Reloading systemd and restarting containerd" systemctl daemon-reload systemctl restart containerd </span><span class="no"> EOT </span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># ... other module configuration ...</span> <span class="o">}</span> </code></pre> </div> <h3> Dissecting the script </h3> <p>Let's break down the <code>content</code> of the <code>cloud-init</code> script to understand each step.</p> <ul> <li> <strong><code>set -ex</code></strong>: This is a standard best practice for shell scripting. <code>set -e</code> ensures the script will exit immediately if a command fails, and <code>set -x</code> prints each command before it is executed, providing clear debug output in the system logs.</li> <li> <strong>Fetching metadata with IMDSv2</strong>: The script dynamically fetches the VPC CIDR block directly from the EC2 metadata service. This is crucial for the <code>NO_PROXY</code> variable, ensuring that any traffic destined for other resources within the VPC bypasses the proxy. It uses the more secure IMDSv2 method, which requires a session token.</li> <li> <strong>Defining <code>NO_PROXY</code></strong>: The <code>NO_PROXY</code> variable is just as important as <code>HTTP_PROXY</code>. It specifies a comma-separated list of domains and IP ranges that should <em>not</em> use the proxy. Our list includes: <ul> <li>The dynamically fetched <code>$VPC_CIDR</code> for all internal VPC traffic.</li> <li>The Kubernetes service CIDR passed from module via <code>$K8S_SERVICE_CIDR</code> (e.g., <code>10.100.0.0/16</code>).</li> <li> <code>localhost</code> and the metadata service address (<code>169.254.169.254</code>).</li> <li>Key AWS and Kubernetes service endpoints to ensure direct communication with the control plane and other AWS APIs. Note the addition of <code>.amazonaws.com</code> to ensure services like ECR, S3, and EC2 are accessed directly via VPC Endpoints if they exist.</li> </ul> </li> <li> <strong><code>/etc/environment</code></strong>: This file provides the system-wide environment variables for all users and processes. It's the foundation of our configuration.</li> <li> <strong>Systemd overrides</strong>: The modern, correct way to modify a <code>systemd</code> service like <code>containerd</code> or <code>nodeadm</code> is to create an override file. We create <code>http-proxy.conf</code> for both services. The <code>EnvironmentFile=/etc/environment</code> directive instructs <code>systemd</code> to load all variables from our global configuration file before starting the service. This is cleaner and more maintainable than modifying the main service files directly.</li> <li> <strong><code>yum.conf</code></strong>: A simple line added to <code>/etc/yum.conf</code> makes the package manager proxy-aware.</li> <li> <strong>Reload and restart</strong>: Finally, <code>systemctl daemon-reload</code> forces <code>systemd</code> to re-read its configuration files, and <code>systemctl restart containerd</code> applies the new environment variables to the container runtime immediately. <code>nodeadm</code> will pick up its configuration when it runs shortly after this script completes.</li> </ul> <p>Successfully deploying EKS worker nodes in a network firewalled behind an HTTP proxy is a common enterprise challenge, but it doesn't have to be a complex one. By leveraging the <code>cloudinit_pre_nodeadm</code> hook within the <a href="https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/" rel="noopener noreferrer"><code>terraform-aws-modules/eks/aws</code></a> module, you gain precise control over the node's bootstrap sequence.</p> <p>This method provides a declarative, automated, and robust solution. By injecting a dynamic script that configures the operating system, <code>containerd</code>, and <code>nodeadm</code> <em>before</em> these critical services start, you ensure nodes join the cluster and pull images reliably. This Infrastructure as Code approach not only solves the immediate technical problem but also creates a repeatable, version-controlled pattern for building secure and compliant Kubernetes platforms on AWS.</p> eks terraform devops Paweł Swiridow Wed, 13 Aug 2025 08:47:52 +0000 https://dev.to/u11d/centralized-eks-logging-across-aws-accounts-using-fluent-bit-pod-identity-and-opensearch-2go https://dev.to/u11d/centralized-eks-logging-across-aws-accounts-using-fluent-bit-pod-identity-and-opensearch-2go <p>Centralized log collection is essential in distributed Kubernetes environments. Amazon EKS combined with Fluent Bit offers a lightweight and flexible log forwarding solution. In this guide, we configure Fluent Bit to run on an EKS cluster in one AWS account (Account A) and forward logs to an OpenSearch domain hosted in another account (Account B).</p> <p>We’ll secure the communication using EKS Pod Identity and a cross-account IAM role protected with an <code>external_id</code>. This ensures that no long-lived credentials are exposed and the trust relationship cannot be abused.</p> <h3> <strong>What is Fluent Bit?</strong> </h3> <p><strong>Fluent Bit</strong> is a lightweight, high-performance log processor and forwarder. Designed with efficiency in mind, it’s ideal for environments like Kubernetes, where resource constraints matter. It collects logs from various sources (e.g., files, containers, syslog), applies filtering and transformation, and then routes them to different destinations such as OpenSearch, Elasticsearch, or cloud services.</p> <h3> <strong>What is OpenSearch?</strong> </h3> <p><strong>OpenSearch</strong> is an open-source search and analytics engine derived from Elasticsearch 7.10. It’s developed and maintained by AWS and the community. OpenSearch supports full-text search, distributed indexing, and real-time analytics — making it an excellent backend for log aggregation, monitoring, and observability platforms.</p> <h2> <strong>Architecture overview</strong> </h2> <ul> <li>account A: hosts the EKS cluster and Fluent Bit</li> <li>account B: hosts the OpenSearch domain</li> <li>Fluent Bit pods use a pod identity to assume a cross-account role that grants access to write logs into OpenSearch</li> </ul> <p>To prevent the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html" rel="noopener noreferrer">confused deputy problem</a>, the trust policy in account B includes an <code>external_id</code> that must be known and passed by the caller (Fluent Bit).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fntfyz1v4bkl66i31wc22.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fntfyz1v4bkl66i31wc22.png" alt=" " width="800" height="1426"></a></p> <h2> <strong>Prerequisites</strong> </h2> <ul> <li>EKS cluster deployed in account A with <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html" rel="noopener noreferrer">Pod Identity Agent</a> installed</li> <li>OpenSearch domain deployed in account B</li> <li>Terraform v1.6+</li> <li>kubectl access to the cluster</li> <li>helm</li> </ul> <h2> <strong>Creating the pod identity role (account A)</strong> </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"log_writer_assuming_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"LogWriterAssumingPolicy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::ACCOUNT_B_ID:role/fluentbit-opensearch-writer"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"fluentbit_pod_identity"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks-pod-identity/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.11.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fluentbit-pod-identity"</span> <span class="nx">additional_policy_arns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">LogWriterAssumingPolicy</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">log_writer_assuming_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">associations</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"middlewares"</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="s2">"fluentbit"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The log_writer_assuming_policy is a policy that allows <code>sts:AssumeRole</code> on the cross-account writer role in account B.</p> <p>EKS Pod Identity uses <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html" rel="noopener noreferrer">s</a>ession tags (therefore <code>sts:TagSession</code> action) to pass metadata during the AssumeRole operation — specifically:</p> <ul> <li>Kubernetes namespace</li> <li>Service account name</li> <li>Cluster name</li> </ul> <p>These are passed as session tags when the EKS control plane assumes the IAM role on behalf of the pod. AWS uses those tags internally to enforce the correct <strong>role-to-service-account association</strong>, ensuring that only the intended pods can assume that role.</p> <h2> <strong>Creating the OpenSearch writer role (account B)</strong> </h2> <p>This role trusts only account A to assume it and requires an external ID for additional protection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"trust_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::ACCOUNT_A_ID:role/fluentbit-pod-identity"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"sts:ExternalId"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"shared-external-id-between-a-and-b-accounts"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"fluentbit_writer"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fluentbit-opensearch-writer"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">trust_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>Attaching OpenSearch permissions</strong> </h3> <p>This policy grants Fluent Bit permission to write to the OpenSearch domain (cluster):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"write_to_opensearch"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"opensearch-write-access"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"es:ESHttpPost"</span><span class="p">,</span> <span class="s2">"es:ESHttpPut"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:es:AWS_REGION:ACCOUNT_B_ID:domain/OPENSEARCH_DOMAIN_NAME/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"attach_writer_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">fluentbit_writer</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">write_to_opensearch</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>Deploying Fluent Bit on EKS with helm</strong> </h2> <p>We use the official Helm chart from the <a href="https://github.com/aws/eks-charts" rel="noopener noreferrer"><code>eks-charts</code></a> repo. It supports pod identity and AWS-signed requests to OpenSearch.</p> <p>Make sure the IAM role from account B is correctly assumed by Fluent Bit using the pod identity role from account A. Also, pass the external ID as a Helm value. Remember that AWS_Role_ARN has to be an ARN of role in account B. Service account name should be the same as we set up in <code>fluentbit_pod_identity</code> module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add eks-charts https://aws.github.io/eks-charts helm repo update helm upgrade <span class="nt">--install</span> fluentbit eks-charts/aws-for-fluent-bit <span class="se">\</span> <span class="nt">--namespace</span> middlewares <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.name<span class="o">=</span><span class="s2">"fluentbit-service-account-name"</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.host<span class="o">=</span><span class="s2">"vpc-my-domain.region.es.amazonaws.com"</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.port<span class="o">=</span>443 <span class="se">\</span> <span class="nt">--set</span> output.opensearch.awsAuth<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.awsExternalId<span class="o">=</span><span class="s2">"shared-external-id-between-a-and-b-accounts"</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.AWS_Role_ARN<span class="o">=</span><span class="s2">"arn:aws:iam::ACCOUNT_B_ID:role/fluentbit-opensearch-writer"</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.index<span class="o">=</span><span class="s2">"index-name"</span> <span class="se">\</span> <span class="nt">--set</span> output.opensearch.type<span class="o">=</span><span class="s2">"_doc"</span> </code></pre> </div> <h2> <strong>Verifying the setup</strong> </h2> <p>Check the logs of the Fluent Bit pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> middlewares <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>fluentbit </code></pre> </div> <p>You should see lines indicating successful writes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span> info] <span class="o">[</span>output:es:es.0] HTTP <span class="nv">status</span><span class="o">=</span>200 </code></pre> </div> <p>You can also search in the OpenSearch dashboard to confirm logs are being indexed in eks-logs.</p> <h2> <strong>Conclusion</strong> </h2> <p>This setup allows Fluent Bit to securely ship logs from EKS in account A to OpenSearch in account B. By using EKS Pod Identity and a cross-account IAM role with an external ID, we avoid exposing secrets while still maintaining a strong trust boundary.</p> <p>This architecture is well-suited for multi-account environments and aligns with AWS best practices for identity and access control.</p>