IRSA: IAM role to ServiceAccount

kubectl kubernetes EKS IRSA IAM ServiceAccount

1 min read | by Jordi Prats

For EKS cluster there was kube2iam for providing IAM credentials to containers running inside a kubernetes cluster that required a DaemonSet to be deployed. With IRSA (IAM Role to ServiceAccount) we can link IAM roles to ServiceAccounts

To associate an IAM role to a ServiceAccount is an straightforward process, we just need to annotate our ServiceAccount with the IAM role we want to use, for example:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>

If we already have the ServiceAccount we can also annotate it imperatively using kubectl annotate as follows:

kubectl annotate serviceaccount -n <NAMESPACE> <SERVICE_ACCOUNT_NAME> \
        eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>

Linking IAM roles to service accounts can also be used for assuming roles from another accounts but we will need to set up the appropriate policies for this.

Posted on 11/02/2021

IRSA: IAM role to ServiceAccount

Categories