Enable IAM Roles for Kubernetes Service Accounts¶
This guide will walk you through enabling IAM roles for service accounts. More specifically, you will create an OpenID Connect (OIDC) provider and associate it with the Kubernetes cluster.
Fast Forward
If you already have an OIDC provider for your cluster, expand this box to fast-forward.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)root@rok-tools:~/ops/deployments# export EKS_CLUSTERSet the name of your OIDC provider for your cluster:
root@rok-tools:~/ops/deployments# export EKS_CLUSTER_OIDC=$(aws eks describe-cluster --name ${EKS_CLUSTER?} \ > --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.eks-identity.j2 \ > -o deploy/env.eks-identityCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Enable IAM Roles for Kubernetes Service Accounts"Proceed to the Verify section.
Choose one of the following options to enable IAM roles for Kubernetes service accounts:
- Option 1: Enable IAM Roles for Kubernetes Service Accounts Automatically (preferred).
- Option 2: Enable IAM Roles for Kubernetes Service Accounts Manually.
Overview
What You’ll Need¶
- A configured management environment.
- An existing EKS cluster.
Check Your Environment¶
In order to create an OIDC provider and associate it with your EKS cluster you need permissions for the following actions:
- Describe EKS clusters.
- Describe IAM resources.
- Create IAM resources.
Note
If you do not have the above permissions, contact your AWS administrator to grant sufficient permissions to your IAM user.
Option 1: Enable IAM Roles for Kubernetes Service Accounts Automatically (preferred)¶
Enable IAM roles for Kubernetes service accounts in your cluster by following
the on-screen instructions on the rok-deploy
user interface.
If rok-deploy
is not already running, start it with:
Proceed to the Summary section.
Option 2: Enable IAM Roles for Kubernetes Service Accounts Manually¶
If you want to enable IAM roles for Kubernetes service accounts in your cluster manually, follow the instructions below.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)root@rok-tools:~/ops/deployments# export EKS_CLUSTERCreate an OIDC provider and associate it with your Kubernetes cluster:
root@rok-tools:~/ops/deployments# eksctl utils associate-iam-oidc-provider --cluster ${EKS_CLUSTER?} --approve [i] eksctl version 0.16.0 [i] using region us-east-1 [i] will create IAM Open ID Connect provider for cluster "arrikto-cluster" in "us-east-1" [✔] created IAM Open ID Connect provider for cluster "arrikto-cluster" in "us-east-1"Troubleshooting
AccessDenied
If the above command fails with an error message similar to one of the following:
Error: creating OIDC provider: AccessDenied: User: arn:aws:iam::123456789012:user/user is not authorized to perform: iam:CreateOpenIDConnectProvider on resource: arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com status code: 403, request id: 553b94e8-1d29-4f4b-a787-90c0a98892ebError: fetching cluster status to determine operability: unable to describe cluster control plane: AccessDeniedException: User: arn:aws:iam:123456789012:user/user is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:123456789012:cluster/arrikto-cluster status code: 403, request id: 36878755-8980-42b9-b9f8-728499a64944it means your IAM user does not have sufficient permissions to perform an action necessary to create an OIDC provider or associate it with your EKS cluster.
To proceed, Check Your Environment and contact your AWS administrator to grant sufficient permissions to your IAM user.
RequestError
If the above command fails with an error message similar to the following:
[i] eksctl version 0.16.0 [i] using region us-east-1 [!] retryable error (RequestError: send request failed caused by: Put http://169.254.169.254/latest/api/token: net/http: request canceled (Client.Timeout exceeded while awaiting headers)ensure that your EC2 instance has PUT response hop limit more than 1.
Set the name of the OIDC provider:
root@rok-tools:~/ops/deployments# export EKS_CLUSTER_OIDC=$(aws eks describe-cluster --name ${EKS_CLUSTER?} \ > --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.eks-identity.j2 \ > -o deploy/env.eks-identityCommit your changes:
root@rok-tools:~/ops/deployments# git commit \ > -am "Enable IAM Roles for Kubernetes Service Accounts"Mark your progress:
root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.5/eks-identity \ > -m "Enable IAM roles for Kubernetes Service Accounts"
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-identity})root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID EKS_CLUSTER_OIDCVerify that the OIDC provider exists:
root@rok-tools:~/ops/deployments# aws iam get-open-id-connect-provider \ > --open-id-connect-provider-arn arn:aws:iam::${AWS_ACCOUNT_ID?}:oidc-provider/${EKS_CLUSTER_OIDC?} { "Url": "oidc.eks.us-east-1.amazonaws.com/id/6E7720932E60AEA787E0E781931671F5", "ClientIDList": [ "sts.amazonaws.com" ], "ThumbprintList": [ "9e99a48a9960b14926bb7f3b02e22da2b0ab7280" ], "CreateDate": "2021-04-23T12:57:25.305000+00:00" }