AWS STS: IAM roles for ServiceAccounts on AWS ROSA

OpenShift IRSA STS ROSA

2 min read | by Jordi Prats

AWS ROSA it is integrated with the AWS STS that will allow us to setup IRSA just as we would do on an EKS cluster.

To create the policy we want to push to AWS we'll have to create a CredentialsRequest with the staments we want. For example, the following object allows read/write access to the test-pet2cattle-s3 bucket and listing other buckets:

apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: demo-aws-s3
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - s3:Get*
      - s3:List*
      - s3:PutObject*
      - s3:DeleteObject*
      effect: Allow
      resource: arn:aws:s3:::test-pet2cattle-s3/*
    - action:
      - s3:Get*
      - s3:List*
      - s3:PutObject*
      - s3:DeleteObject*
      effect: Allow
      resource: arn:aws:s3:::test-pet2cattle-s3
    - action:
      - s3:ListAllMyBuckets
      effect: Allow
      resource: 'arn:aws:s3:::*'
  secretRef:
    name: demo-s3-cloud-credentials
    namespace: test
  serviceAccountNames:
  - demo

To create the IAM role we'll have to use the ccoctl tool. Let's assume we have the previous definition under credreq/req.yaml, with the following command we are going to create the demo-sts-test-demo-s3-cloud-credentials IAM role associated with the demo ServiceAccount:

ccoctl aws create-iam-roles \
  --name=demo-sts \
  --region=eu-central-1 \
  --credentials-requests-dir=credreq  \
  --identity-provider-arn=arn:aws:iam::123456789876:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/cdefb6lj4p4k1a01i561h9rb221cv53

We can guess the IAM role based on the CredentialsRequest data but we'll get it's ARN from ccoctl's output:

$ ccoctl aws create-iam-roles --name=demo-sts --region=eu-central-1 --credentials-requests-dir=credreq --identity-provider-arn=arn:aws:iam::123456789876:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/cdefb6lj4p4k1a01i561h9rb221cv53
2022/10/15 09:33:21 Role arn:aws:iam::123456789876:role/demo-sts-test-demo-s3-cloud-credentials created
2022/10/15 09:33:21 Updated Role policy for Role demo-sts-test-demo-s3-cloud-credentials

At this point we just need to annotate the ServiceAccount with the eks.amazonaws.com/role-arn annotation as we would do with any other IRSA enabled ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789876:role/demo-sts-test-demo-s3-cloud-credentials

We can finally test it using a pod with awscli:

apiVersion: v1
kind: Pod
metadata:
  annotations:
  name: demo-sts
spec:
  serviceAccount: demo
  containers:
  - image: amazon/aws-cli
    command: ["/bin/sleep"]
    args: ["infinity"]
    name: demo-sts

Where we can try to list S3 buckets as follows:

$ kubectl exec -it demo-sts -- sh
sh-4.2# aws s3 ls
2022-10-15 06:54:28 test-pet2cattle-s3

Posted on 25/10/2022

Categories