A native-AWS way to attach an IAM role into the Kubernetes POD, without third-party software, reducing latency and improving your EKS security.

How It Works

It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).

---

Benefits

There are quite a few benefits of using IRSA with Kubernetes PODs.

• Granular restriction (per cluster, per namespace, etc.).
• It’s also possible to not use it.
• More flexible than the other tools.
• One less point of failure (maybe a few less).
• Lesser resource consumption.
• More pods per node.
• Latency may reduce by ~50ms.
• Especially for the first request.
• Prevent issues with caching the credentials.
• This software takes a few minutes to update its cache.
• Better auditing.
• Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails.
• Easier to set up.
• AWS provides full support.

---

Pre-requirements

There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.

• An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL.
• AWS EKS cluster 1.13 or above.
• A trust relationship between your IAM Role and the OpenID Provider.

#cloud #tutorial #aws #kubernetes #cloud security #k8s #eks #aws security #kubernetes security #aws iam