AWS STS: IAM roles for ServiceAccounts on AWS ROSA

2 min read

AWS ROSA it is integrated with the AWS STS that will allow us to setup IRSA just as we would do on an EKS cluster.

25/10/2022

Install Crossplane on AWS with the Jet provider

3 min read

To start creating resources on AWS we can choose the AWS native provider or go with the Jet provider that uses terraform's AWS provider under the hood to generate a Crossplane provider

02/03/2022

Install Crossplane on AWS with the native provider

4 min read

Crossplane is an open source Kubernetes add-on that lets you create cloud resources using Kubernetes objects (CRDs). It's installation it's straightforward, but once we have it installed the key it to properly configure it's providers. Here we are going to use the crossplane's native AWS provider

28/02/2022

IRSA: How to create an IAM role for a specific ServiceAccount

2 min read

On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"
        }
      }
    }
  ]
}

Let's take a look on how to create this role using Terraform

24/11/2021

IRSA: IAM role to ServiceAccount

1 min read

For EKS cluster there was kube2iam for providing IAM credentials to containers running inside a kubernetes cluster that required a DaemonSet to be deployed. With IRSA (IAM Role to ServiceAccount) we can link IAM roles to ServiceAccounts

11/02/2021