Configuring a Kubernetes service account to assume an IAM role
Jump to navigation
Jump to search
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"$oidc_provider:aud": "sts.amazonaws.com",
"$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
}
}
}
]
}
EOF
aws iam create-role --role-name my-role --assume-role-policy-document file://trust-relationship.json --description "my-role-description"
kubectl describe serviceaccount Creating an IAM OIDC provider for your EKS cluster
See also
- EKS: IRSA, Module:
ebs_csi_irsa_role,enable_irsa - OIDC,
kubectl oidc-login, AWS IAM OIDC, EKS OIDC, EKS module,aws iam list-open-id-connect-providers | aws iam create-open-id-connect-provider | aws iam get-open-id-connect-provider, OIDC tokens,aws_lb_listener_rule - AWS EKS:
AWS::EKS,aws eks [ create-cluster | list-clusters|describe-cluster|update-kubeconfig | list-updates | list-addons | update-cluster-version | update-nodegroup-version | get-token | create-addon ]
Advertising:
