DEV Community

Sampath Karan
Sampath Karan

Posted on

EKS Pod Identity AddOns

Recently a new EKS addons introduced an addon feature Pod Identities. Basically if the pod want to communicate with other AWS services it will happen through the IAM Roles for service account (IRSA) where the IAM role will be configured as service account and attached to pods and a switch happens between EKS and IAM. Now with Pod Identity addons we can provide granular permissions for the pods.

You can install the addons and verify if it is added to the cluster

aws eks --region ap-south-1 list-addons --cluster-name demo

{
    "addons": [
        "coredns",
        "eks-pod-identity-agent",
        "kube-proxy",
        "vpc-cni"
    ]
}
Enter fullscreen mode Exit fullscreen mode

You can verify the addons running as daemonset in the cluster

kubectl get daemonset -A


NAMESPACE     NAME                     DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
kube-system   aws-node                 2         2         2       2            2           <none>          51m
kube-system   eks-pod-identity-agent   2         2         2       2            2           <none>          48m
kube-system   kube-proxy               2         2         2       2            2           <none>          51m


Enter fullscreen mode Exit fullscreen mode

Let us break down and see how exactly it works, we will try to access S3 bucket from the pod using pod identity.

Step 1. Create test S3 bucket name test-884.
Step 2. Create an IAM role pod-identity-s3-demo choose trusted entity EKS and EKS pod identity.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8fwfyfwcs6tn5hqdnzqc.png
Step 3. Click next and you could see a trust policy added to the role
Image description
Step 4. Click next and create the role.
Step 5. After creating a role we can add inline policy with the bucket name specified as below

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::test-884/*",
      "Sid": "PodIdentity"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Image description

Step 6. Now associate the IAM role with the EKS pod by using the Pod Identity association, navigate to the eks cluster and access tab and click on

Image description

Step 7. You can specify the existing namespace and service account as below

Image description

step7: Finally create a pod with the service account and the pod get the temporary access to S3 bucket

Top comments (1)

Collapse
 
securespend profile image
Secure Spend

wowww