We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
How to optimize AWS services -Applications connectivity with EKS Pod Identity
Every AWS Re-Invent new releases are awaited with high expectation. One of my highlights of the reinvent 2023 was the simplified application access to AWS service with EKS pod Identity.
My Kubernetes journey started sometime in 2021 and I have grown to love it, not only because it is greatly leveraged at my job, but also because of its extremely improving power as a micro-service. If all of this is new to you, check-out the link below on getting starting with Kubernetes on AWS.1
What is Amazon EKS Pod Identity?
Amazon EKS Pod Identity is a feature within Amazon Elastic Kubernetes Service (EKS) that simplifies the process of managing AWS Identity and Access Management (IAM) permissions for Kubernetes applications running on Amazon EKS clusters. It allows you to assign specific IAM roles to individual Kubernetes pods, ensuring granular and secure access to AWS resources and APIs.
How was this managed prior to EKS Pod Identity?
Before the introduction of EKS Pod Identity, the primary way to manage IAM permissions for Kubernetes pods was through solutions such as:
Kube2iam
An open-source solution that assigns IAM roles to Kubernetes pods running in an Amazon EKS cluster. It creates a secure and controlled way of managing pod-level IAM access. The mechanism behind kube2iam is to intercept AWS metadata API requests from pods, check their attributes, and provide the appropriate IAM credentials based on a pod's annotation or Kubernetes namespace. While kube2iam has been helpful in securing pod-level access to AWS resources, it has certain challenges:
Additional component to manage: As kube2iam operates as a separate component, it increases overall management overhead.
Complex configuration: Setting up and configuring kube2iam can be complex, requiring multiple steps and in-depth knowledge about AWS networking and IAM.
Limited support for new features and improvements: kube2iam is a community-supported project, potentially making it slower to introduce new features or bug fixes compared to AWS managed services.
kiam
Another open-source solution that provides a secure way to manage pod-level AWS IAM roles in Kubernetes clusters. It intercepts AWS metadata API calls from the pods and responds with the appropriate IAM credentials based on annotations. Kiam has a more robust security model than kube2iam, achieved by separating the roles of a metadata agent and a server, with strict communication policies enforced using TLS and gRPC.
AWS Security Token Service (STS)
Using the AWS STS, you can create short-lived credentials to manage access to AWS resources from within Kubernetes. This method works by assuming an IAM role in a pod and using the aws sts assume-role command to obtain temporary credentials. While STS is a useful mechanism for providing temporary access to AWS resources, it can be cumbersome to maintain and less flexible when compared to kube2iam or kiam.
AWS IAM Roles for Service Accounts (IRSA)
Amazon introduced AWS IAM Roles for Service Accounts (IRSA) as an official AWS solution that streamlines pod-level IAM access within EKS clusters. IRSA allows you to associate an IAM role directly with a Kubernetes service account, so that applications running within a pod can use the role without sharing any credentials in the process. This automation simplifies and enhances security in managing pod-level AWS access. While there are several alternatives available for managing IAM permissions in Kubernetes, EKS Pod Identity seeks to provide a robust and easy-to-use native solution for Amazon EKS users.
What makes Amazon EKS Pod Identity a more powerful tool?
Amazon EKS Pod Identity offers several advantages for managing IAM permissions in EKS clusters:
Simplified permissions: With EKS Pod Identity, you can assign specific IAM roles at the pod level. This granular control allows each pod to have the required permissions to access only the necessary AWS resources, simplifying the permissions management process and ensuring a more organized cluster.
Enhanced security: By following the principle of least privilege, EKS Pod Identity enables enhanced security measures for the applications running in the EKS cluster. It limits each pod's access to only the permitted resources, reducing the potential surface area for exploitation.
Native integration: EKS Pod Identity is designed to work natively with Amazon EKS and AWS SDKs. This seamless integration ensures a more efficient developer experience while managing IAM access for their applications in the cluster.
Ease of management: Compared to third-party solutions like kube2iam or kiam, EKS Pod Identity provides a more streamlined, native approach to IAM management. It eliminates the need for additional components and simplifies the overall management process, making it easier for administrators to maintain a secure and organized EKS environment.
Automatic credential provisioning: EKS Pod Identity automates the process of providing temporary security credentials to pods when they make AWS API requests. This automation not only keeps the environment secure but also minimizes the complexity involved in credential management and IAM role assumption.
Hands-On Demo
Let's experience the power of EKS Pod Identity.
Requirements: An AWS Service (s3 bucket): We shall create an s3 bucket, upload an image and later on access it. An Application: As we know applications are housed in Containers and containers resides in pods. These pods are managed by Kubernetes, so we need an EKS Cluster. IAM Permission: For Identity and Access management.
Image not found
myeksbucket-01
An S3 bucket named myeksbucket-01 was created and an image uploaded into it.
I created an IAM Role called eksClusterRole and attached a permission policy so as to get access to the created s3 bucket.
Image not found
IAM
Next to the permission, we need a Trust Relationship with a principal labelled pod.eks.amazonaws.com.
Image not found
EKS-Cluster-Role Next we need the pod identity agent, which will reside in the EKS Cluster. We need to create a cluster. The default setting will suffice. For the add-ons stage, It is important to chose amazon EKS Pod Identity agent as an extra add-on
Image not found
Selecting eks-pod-identity-agent Addon
We need create a pod identity association. The Kubernetes namespace and service account can be created on the fly, if you don't already have in your cluster. Just enter the desired names in the field.
Image not found
The Cluster creating process might take up to 15 minutes.
After the successful creation the cluster, we need to access it through the AWS-CLI on the same browser with the following command:
Image not found
Next we access the service as shown below:
Image not found
The following commands can be used to map the IAM role to the Kubernetes pod:
