Enable IAM Roles for Kubernetes Service Accounts

This guide will walk you through enabling IAM roles for service accounts. More specifically, you will create an OpenID Connect (OIDC) provider and associate it with the Kubernetes cluster.

Choose one of the following options to enable IAM roles for Kubernetes service accounts:

Check Your Environment

In order to create an OIDC provider and associate it with your EKS cluster you need permissions for the following actions:

  • Describe EKS clusters.
  • Describe IAM resources.
  • Create IAM resources.

Note

If you do not have the above permissions, contact your AWS administrator to grant sufficient permissions to your IAM user.

Option 1: Enable IAM Roles for Kubernetes Service Accounts Automatically (preferred)

Enable IAM roles for Kubernetes service accounts in your cluster by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-identity
../../../_images/eks-identity.png

Proceed to the Summary section.

Option 2: Enable IAM Roles for Kubernetes Service Accounts Manually

If you want to enable IAM roles for Kubernetes service accounts in your cluster manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)
    root@rok-tools:~/ops/deployments# export EKS_CLUSTER
  3. Create an OIDC provider and associate it with your Kubernetes cluster:

    root@rok-tools:~/ops/deployments# eksctl utils associate-iam-oidc-provider --cluster ${EKS_CLUSTER?} --approve [i] eksctl version 0.16.0 [i] using region us-east-1 [i] will create IAM Open ID Connect provider for cluster "arrikto-cluster" in "us-east-1" [✔] created IAM Open ID Connect provider for cluster "arrikto-cluster" in "us-east-1"

    Troubleshooting

    AccessDenied

    If the above command fails with an error message similar to one of the following:

    Error: creating OIDC provider: AccessDenied: User: arn:aws:iam::123456789012:user/user is not authorized to perform: iam:CreateOpenIDConnectProvider on resource: arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com status code: 403, request id: 553b94e8-1d29-4f4b-a787-90c0a98892eb
    Error: fetching cluster status to determine operability: unable to describe cluster control plane: AccessDeniedException: User: arn:aws:iam:123456789012:user/user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster status code: 403, request id: 36878755-8980-42b9-b9f8-728499a64944

    it means your IAM user does not have sufficient permissions to perform an action necessary to create an OIDC provider or associate it with your EKS cluster.

    To proceed, Check Your Environment and contact your AWS administrator to grant sufficient permissions to your IAM user.

    RequestError

    If the above command fails with an error message similar to the following:

    [i] eksctl version 0.16.0 [i] using region us-east-1 [!] retryable error (RequestError: send request failed caused by: Put http://169.254.169.254/latest/api/token: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

    ensure that your EC2 instance has PUT response hop limit more than 1.

  4. Set the name of the OIDC provider:

    root@rok-tools:~/ops/deployments# export EKS_CLUSTER_OIDC=$(aws eks describe-cluster \ > --name ${EKS_CLUSTER?} \ > --query "cluster.identity.oidc.issuer" \ > --output text \ > | sed -e "s/^https:\/\///")
  5. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.eks-identity.j2 \ > -o deploy/env.eks-identity
  6. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit \ > -am "Enable IAM Roles for Kubernetes Service Accounts - context"
  7. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/release-2.0/eks-identity \ > -m "Enable IAM roles for Kubernetes Service Accounts"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-identity})
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID EKS_CLUSTER_OIDC
  3. Verify that the OIDC provider exists:

    root@rok-tools:~/ops/deployments# aws iam get-open-id-connect-provider \ > --open-id-connect-provider-arn arn:aws:iam::${AWS_ACCOUNT_ID?}:oidc-provider/${EKS_CLUSTER_OIDC?} { "Url": "oidc.eks.us-east-1.amazonaws.com/id/6E7720932E60AEA787E0E781931671F5", "ClientIDList": [ "sts.amazonaws.com" ], "ThumbprintList": [ "9e99a48a9960b14926bb7f3b02e22da2b0ab7280" ], "CreateDate": "2021-04-23T12:57:25.305000+00:00" }

Summary

You have successfully enabled IAM roles for service accounts.

What’s Next

The next step is to get access to your EKS cluster.