How to optimize AWS services -Applications connectivity with EKS Pod Identity
Every AWS Re-Invent new releases are awaited with high expectation. One of my highlights of the reinvent 2023 was the simplified application access to AWS service with EKS pod Identity.
Published Jan 31, 2024
My Kubernetes journey started sometime in 2021 and I have grown to love it, not only because it is greatly leveraged at my job, but also because of its extremely improving power as a micro-service. If all of this is new to you, check-out the link below on getting starting with Kubernetes on AWS.1
What is Amazon EKS Pod Identity?
Amazon EKS Pod Identity is a feature within Amazon Elastic Kubernetes Service (EKS) that simplifies the process of managing AWS Identity and Access Management (IAM) permissions for Kubernetes applications running on Amazon EKS clusters. It allows you to assign specific IAM roles to individual Kubernetes pods, ensuring granular and secure access to AWS resources and APIs.
How was this managed prior to EKS Pod Identity?
Before the introduction of EKS Pod Identity, the primary way to manage IAM permissions for Kubernetes pods was through solutions such as:
Kube2iam
An open-source solution that assigns IAM roles to Kubernetes pods running in an Amazon EKS cluster. It creates a secure and controlled way of managing pod-level IAM access. The mechanism behind kube2iam is to intercept AWS metadata API requests from pods, check their attributes, and provide the appropriate IAM credentials based on a pod's annotation or Kubernetes namespace.
While kube2iam has been helpful in securing pod-level access to AWS resources, it has certain challenges:
While kube2iam has been helpful in securing pod-level access to AWS resources, it has certain challenges:
Additional component to manage: As kube2iam operates as a separate component, it increases overall management overhead.
Complex configuration: Setting up and configuring kube2iam can be complex, requiring multiple steps and in-depth knowledge about AWS networking and IAM.
Limited support for new features and improvements: kube2iam is a community-supported project, potentially making it slower to introduce new features or bug fixes compared to AWS managed services.
kiam
Another open-source solution that provides a secure way to manage pod-level AWS IAM roles in Kubernetes clusters. It intercepts AWS metadata API calls from the pods and responds with the appropriate IAM credentials based on annotations. Kiam has a more robust security model than kube2iam, achieved by separating the roles of a metadata agent and a server, with strict communication policies enforced using TLS and gRPC.
AWS Security Token Service (STS)
Using the AWS STS, you can create short-lived credentials to manage access to AWS resources from within Kubernetes. This method works by assuming an IAM role in a pod and using the aws sts assume-role command to obtain temporary credentials. While STS is a useful mechanism for providing temporary access to AWS resources, it can be cumbersome to maintain and less flexible when compared to kube2iam or kiam.
AWS IAM Roles for Service Accounts (IRSA)
Amazon introduced AWS IAM Roles for Service Accounts (IRSA) as an official AWS solution that streamlines pod-level IAM access within EKS clusters. IRSA allows you to associate an IAM role directly with a Kubernetes service account, so that applications running within a pod can use the role without sharing any credentials in the process. This automation simplifies and enhances security in managing pod-level AWS access.
While there are several alternatives available for managing IAM permissions in Kubernetes, EKS Pod Identity seeks to provide a robust and easy-to-use native solution for Amazon EKS users.
While there are several alternatives available for managing IAM permissions in Kubernetes, EKS Pod Identity seeks to provide a robust and easy-to-use native solution for Amazon EKS users.
What makes Amazon EKS Pod Identity a more powerful tool?
Amazon EKS Pod Identity offers several advantages for managing IAM permissions in EKS clusters:
Simplified permissions: With EKS Pod Identity, you can assign specific IAM roles at the pod level. This granular control allows each pod to have the required permissions to access only the necessary AWS resources, simplifying the permissions management process and ensuring a more organized cluster.
Enhanced security: By following the principle of least privilege, EKS Pod Identity enables enhanced security measures for the applications running in the EKS cluster. It limits each pod's access to only the permitted resources, reducing the potential surface area for exploitation.
Native integration: EKS Pod Identity is designed to work natively with Amazon EKS and AWS SDKs. This seamless integration ensures a more efficient developer experience while managing IAM access for their applications in the cluster.
Ease of management: Compared to third-party solutions like kube2iam or kiam, EKS Pod Identity provides a more streamlined, native approach to IAM management. It eliminates the need for additional components and simplifies the overall management process, making it easier for administrators to maintain a secure and organized EKS environment.
Automatic credential provisioning: EKS Pod Identity automates the process of providing temporary security credentials to pods when they make AWS API requests. This automation not only keeps the environment secure but also minimizes the complexity involved in credential management and IAM role assumption.
Hands-On Demo
Let's experience the power of EKS Pod Identity.
Requirements:
An AWS Service (s3 bucket): We shall create an s3 bucket, upload an image and later on access it.
An Application: As we know applications are housed in Containers and containers resides in pods. These pods are managed by Kubernetes, so we need an EKS Cluster.
IAM Permission: For Identity and Access management.
An AWS Service (s3 bucket): We shall create an s3 bucket, upload an image and later on access it.
An Application: As we know applications are housed in Containers and containers resides in pods. These pods are managed by Kubernetes, so we need an EKS Cluster.
IAM Permission: For Identity and Access management.
An S3 bucket named myeksbucket-01 was created and an image uploaded into it.
I created an IAM Role called eksClusterRole and attached a permission policy so as to get access to the created s3 bucket.
Next to the permission, we need a Trust Relationship with a principal labelled pod.eks.amazonaws.com.
Next we need the pod identity agent, which will reside in the EKS Cluster. We need to create a cluster. The default setting will suffice. For the add-ons stage, It is important to chose amazon EKS Pod Identity agent as an extra add-on
We need create a pod identity association. The Kubernetes namespace and service account can be created on the fly, if you don't already have in your cluster. Just enter the desired names in the field.
The Cluster creating process might take up to 15 minutes.
After the successful creation the cluster, we need to access it through the AWS-CLI on the same browser with the following command:
Next we access the service as shown below:
The following commands can be used to map the IAM role to the Kubernetes pod:
$ aws eks create-pod-identity-association \
--cluster-name \
--namespace \
--service-account \
--role-arn
--cluster-name \
--namespace \
--service-account \
--role-arn
The following command can be used to install the EKS Pod Identity Agent into the cluster:
aws eks create-addon \
--cluster-name \
--addon-name eks-pod-identity-agent \
--addon-version
--cluster-name \
--addon-name eks-pod-identity-agent \
--addon-version
These are further steps on achieving the required results. 2