0

I am trying out the capability where 2 pods deployed to the same worker node in EKS are associated to different service accounts. Below are the steps

  • Each service account is associated to a different role one with access to SQS and other without access.
  • Used eksutil to associate OIDC provider with cluster and also created iamserviceaccount with service account in kubernetes and role with policy for accessing SQS attached (implicit annotation of service account with IAM role provided by eksctl create iamserviceaccount).

But when I try to start the pod which has service account tied to role with SQS access, I am getting access denied for SQS, however if I add SQS permissions to worker node instance role, its working fine.

Am I missing any steps and is my understanding correct?

Jonas
  • 121,568
  • 97
  • 310
  • 388
rajesh kumar
  • 121
  • 1
  • 13

1 Answers1

3

So, there are a few things required to get IRSA to work:

  1. There has to be an OIDC provider associated with the cluster, following the directions here.
  2. The IAM role has to have a trust relationship with the OIDC provider, as defined in the AWS CLI example here.
  3. The service account must be annotated with a matching eks.amazonaws.com/role-arn.
  4. The pod must have the appropriate service account specified with a serviceAccountName in its spec, as per the API docs.
  5. The SDK for the app needs to support the AssumeRoleWithWebIdentity API call. Weirdly, the aws-sdk-go-v2 SDK doesn't currently support it at all (the "old" aws-sdk-go does).

It's working with the node role because one of the requirements above isn't met, meaning the credential chain "falls through" to the underlying node role.

asthasr
  • 9,125
  • 1
  • 29
  • 43
  • @asthsr I believe point 1 is taken care by ekstcl utils associate oidc api call ,2 and 3 are taken care by eksctl create iamserviceaccount. As with point 4, I use java sdk – rajesh kumar Dec 02 '19 at 09:28
  • Manually verify all of the steps you are using `eksctl` for. Make sure your pod has a `serviceAccountName` specified. Make sure your Java SDK [meets the minimum version requirement](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html). – asthasr Dec 02 '19 at 09:58
  • you are right. It was indeed the java sdk issue. I was using 1.11.573.It worked once i upgraded the version. – rajesh kumar Dec 04 '19 at 06:28
  • 1
    @asthasr THANKS. I couldn't create iamserviceaccount with eksctl because eks cluster was not created with eksctl. only your post and specifically point 3 did the trick. I wasn't able to found that information anywhere – RuBiCK Jan 08 '21 at 19:13