IRSA: IAM role to ServiceAccount

1 min read

For EKS cluster there was kube2iam for providing IAM credentials to containers running inside a kubernetes cluster that required a DaemonSet to be deployed. With IRSA (IAM Role to ServiceAccount) we can link IAM roles to ServiceAccounts

To associate an IAM role to a service account is an straightforward process, we just need to annotate our ServiceAccount with the IAM role we want to use, for example:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>

If we already have the ServiceAccount we can also annotate it imperatively using kubectl annotate as follows:

kubectl annotate serviceaccount -n <NAMESPACE> <SERVICE_ACCOUNT_NAME> \
        eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>

Linking IAM roles to service accounts can also be used for assuming roles from another accounts but we will need to set up the appropriate policies for this.


Posted on 11/02/2021

Categories