Difference between revisions of "Configuring a Kubernetes service account to assume an IAM role"
Jump to navigation
Jump to search
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
* https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html | * https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html | ||
+ | |||
+ | Poliy -> SA-OIDC -> Role | ||
Line 16: | Line 18: | ||
"StringEquals": { | "StringEquals": { | ||
"$oidc_provider:aud": "[[sts.amazonaws.com]]", | "$oidc_provider:aud": "[[sts.amazonaws.com]]", | ||
− | "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account" | + | "$oidc_provider:sub": "[[system:serviceaccount]]:$namespace:$service_account" |
} | } | ||
} | } | ||
Line 24: | Line 26: | ||
EOF | EOF | ||
− | [[aws iam create-role --role-name]] | + | [[aws iam create-role --role-name]] [[yourIAMRoleName]] [[--assume-role-policy-document]] file://[[trust-relationship.json]] --description "my-trust-relationship-role-description" |
[[kubectl describe serviceaccount]] | [[kubectl describe serviceaccount]] | ||
[[Creating an IAM OIDC provider for your EKS cluster]] | [[Creating an IAM OIDC provider for your EKS cluster]] | ||
+ | [[Terraform Kubernetes resource: kubernetes service account]] | ||
+ | * [[TOI: EKS cluster discovery using STS AssumeRoles (Without AWS CLI)]] | ||
== See also == | == See also == |
Latest revision as of 14:51, 31 October 2023
Poliy -> SA-OIDC -> Role
cat >trust-relationship.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oidc_provider:aud": "sts.amazonaws.com", "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account" } } } ] } EOF
aws iam create-role --role-name yourIAMRoleName --assume-role-policy-document file://trust-relationship.json --description "my-trust-relationship-role-description"
kubectl describe serviceaccount Creating an IAM OIDC provider for your EKS cluster Terraform Kubernetes resource: kubernetes service account
See also[edit]
- EKS: IRSA, Module:
ebs_csi_irsa_role
,enable_irsa
- OIDC,
kubectl oidc-login
, AWS IAM OIDC, EKS OIDC, EKS module,aws iam list-open-id-connect-providers | aws iam create-open-id-connect-provider | aws iam get-open-id-connect-provider
, OIDC tokens,aws_lb_listener_rule
- AWS EKS:
AWS::EKS
,aws eks [ create-cluster | list-clusters
|describe-cluster
|update-kubeconfig | list-updates | list-addons | update-cluster-version | update-nodegroup-version | get-token | create-addon ]
Advertising: