0

I'm running a container on EKS in account A and need to write to Kinesis stream (firehose) in another account (account B).

I'm using boto3, when running locally I use the user IAM credentials set using aws configure.

But when deployed to EKS it's unable to write to that stream because it can't find it. I suspect that I need to somehow set up IAM role on account A and use it in EKS on account B, but I just can't find a way.

Any help will be great...

client = boto3.client('firehose')
client.put_record_batch(DeliveryStreamName=self.kinesis_stream_name, Records=records)
ElinN
  • 153
  • 1
  • 1
  • 5

1 Answers1

0

  • You would need to enable cross account permission between account A(Kinesis) and B(EKS) in aws. Create an IAM role to access Kinesis.

  • Cross Account Permissions AWS

  • So when your container hosts (EC2 instances) get the instance profile from above created cross account IAM role.Your containers will be able to access account A(Kinesis). Look Here

  • Go to IAM -> Roles -> ecsInstanceRole ---> now update this role with your newly created policies. ecsInstanceRole is a default role created for all EKS container instances (spot or on-demand) refer.

  • After adding the roles, add the assume-role api call too in logic so that the containers will assume the role for Kinesis in another account.

  • Boto example from aws docs:

import boto3

# Create IAM client
sts_default_provider_chain = boto3.client('sts')

print('Default Provider Identity: : ' + sts_default_provider_chain.get_caller_identity()['Arn'])

role_to_assume_arn='arn:aws:iam::123456789012:role/roleName'
role_session_name='test_session'

response=sts_default_provider_chain.assume_role(
    RoleArn=role_to_assume_arn,
    RoleSessionName=role_session_name
)

creds=response['Credentials']

sts_assumed_role = boto3.client('sts',
    aws_access_key_id=creds['AccessKeyId'],
    aws_secret_access_key=creds['SecretAccessKey'],
    aws_session_token=creds['SessionToken'],
)

print('AssumedRole Identity: ' + sts_assumed_role.get_caller_identity()['Arn'])
  • For an end to end example see , just replace the roles accordingly (in your case ecsInstanceRole -> would be updated, instead of new role)

PS: Also just to test you could use the actual programmatic access Access+Secret Keys for AWS account A in your boto3 api calls. But not at all recommended.

sanster_23
  • 800
  • 10
  • 17
  • Thanks, I've created cross account permissions. But I don't understand how do I assign the role to the EKS. My EKS is running on spot instances, do I need a dedicated code to read the temporary password from the instance metadata? – ElinN Aug 04 '19 at 10:28
  • @ElinN Go to IAM -> Roles -> `ecsInstanceRole` ---> now update this role with your newly created policies. `ecsInstanceRole` is a default role created for all EKS container instances (spot or on-demand). [refer](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) – sanster_23 Aug 04 '19 at 10:58
  • @santer_23 still didn't work. just for sanity I've set user role credentials as env variables in the pod configuration and it worked. Also the policy I've set in the eks instance role is: { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam:::role/access-stream" } } – ElinN Aug 05 '19 at 08:30
  • @ElinN after you add the roles i think you will have to add the assume role api call too in you logic before it works [boto example](https://docs.aws.amazon.com/code-samples/latest/catalog/python-sts-assume_role.py.html) and for an end to end example follow this [aws doc](https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/), just replace the roles accordingly (in your case `ecsInstanceRole`-> would be updated, instead of new role) – sanster_23 Aug 05 '19 at 14:46