0

I have a cluster in one of my aws accounts (account id 111111) and a kubernetes service account called "my-sa" in this cluster. In another aws account (account id 22222), I have a IAM policy to read dynamodb table and this policy is attached to a IAM role called "ReadDynamoDBRole". I have associated this IAM role to use a trusted policy to allow the service account "my-sa" from the account id 11111 using the oidc issuer id. (Ref)

IAM Policy "ReadDynamoDB" in account 22222:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:22222:table/my-dynamodb-table"
            ]
        }
    ]
}

IAM Role "ReadDynamoDBRole" in account 22222:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::11111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/1234567789008765544342"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/1234567789008765544342:aud": "sts.amazonaws.com",
                    "oidc.eks.us-east-1.amazonaws.com/id/1234567789008765544342:sub": "system:serviceaccount:us-east-1:my-sa"
                }
            }
        }
    ]
}

This IAM Role "ReadDynamoDBRole" is associated with the policy "ReadDynamoDB".

Now, in my account 11111, I have added an annotation to "my-sa" to use the role from account 22222.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::22222:role/ReadDynamoDBRole

Now that I have this setup, I am trying to test this works from a pod in the cluster in account 11111. This pod is attached to the service account "my-sa" so I assume all services running this pod will be running as the service account "my-sa".

I tried to spin-up a busybox pod inside the cluster and tried to use the aws-cli to query the dynamodb. But unfortunately I have some networking restrictions to install aws-cli inside the cluster.

Is there any other way to test if this setup will work? Is there a way to login to the aws-cli using the service account (maybe generating a service account token) and try the query?

davidbilla
  • 2,120
  • 1
  • 15
  • 26

0 Answers0