Introduction
Amazon Web Services (AWS) IAM Roles for Service Accounts (IRSA) provides a robust mechanism for securely managing AWS resource access within Kubernetes clusters. Implementing AWS IRSA in self-hosted Kubernetes clusters enhances security by granting precise AWS permissions to workloads running within Kubernetes. This guide explores best practices for setting up and optimizing AWS IRSA in a self-hosted Kubernetes environment.
Understanding AWS IRSA
AWS IRSA enables Kubernetes pods to assume IAM roles securely without requiring static AWS credentials. Instead, it utilizes OpenID Connect (OIDC) federation between the Kubernetes cluster and AWS IAM, ensuring secure authentication and access management.
Benefits of AWS IRSA
- Enhanced Security: Eliminates the need for long-lived AWS access keys within Kubernetes workloads.
- Least Privilege Access: Ensures workloads only receive permissions necessary for their operations.
- Scalability: Easily manages IAM permissions across multiple pods and services.
- Better Compliance: Aligns with security best practices by using temporary credentials.
Prerequisites
Before setting up AWS IRSA in a self-hosted Kubernetes cluster, ensure the following:
- A Kubernetes cluster running on AWS with OIDC provider support.
- AWS CLI and IAM permissions to create roles and policies.
- Helm and Kubernetes tools such as kubectl installed.
Step-by-Step Guide to Configuring AWS IRSA
Step 1: Verify OIDC Provider Configuration
Ensure that an OpenID Connect (OIDC) provider is available for the Kubernetes cluster. Retrieve the OIDC issuer URL:
kubectl get cm -n kube-system aws-auth -o jsonpath='{.data.mapRoles}’
If OIDC is not set up, create an IAM OIDC provider:
aws iam create-open-id-connect-provider –url “https://oidc.eks.amazonaws.com/id/CLUSTER_ID” –client-id-list sts.amazonaws.com –thumbprint-list THUMBPRINT
Step 2: Create an IAM Policy
Define an IAM policy specifying the necessary permissions for Kubernetes workloads:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [“s3:ListBucket”, “s3:GetObject”],
“Resource”: [“arn:aws:s3:::example-bucket/*”]
}
]
}
Apply the policy in AWS:
aws iam create-policy –policy-name S3ReadOnlyPolicy –policy-document file://policy.json
Step 3: Create an IAM Role for Kubernetes Service Account
Create an IAM role that can be assumed by Kubernetes pods:
aws iam create-role –role-name IRSA-S3-Role –assume-role-policy-document file://trust-policy.json
Attach the previously created policy:
aws iam attach-role-policy –role-name IRSA-S3-Role –policy-arn arn:aws:iam::ACCOUNT_ID:policy/S3ReadOnlyPolicy
Step 4: Create a Kubernetes Service Account with IRSA
Associate the IAM role with a Kubernetes service account:
kubectl create sa s3-reader -n default
kubectl annotate sa s3-reader -n default eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNT_ID:role/IRSA-S3-Role
Step 5: Deploy Workloads Using AWS IRSA
Deploy a sample pod that uses the service account:
apiVersion: v1
kind: Pod
metadata:
name: s3-reader-pod
namespace: default
spec:
serviceAccountName: s3-reader
containers:
– name: aws-cli
image: amazon/aws-cli
command: [“sleep”, “3600”]
Apply the configuration:
kubectl apply -f s3-reader-pod.yaml
Step 6: Verify AWS Access in Kubernetes Pods
Exec into the running pod and test AWS access:
kubectl exec -it s3-reader-pod — aws s3 ls s3://example-bucket
Best Practices for AWS IRSA in Kubernetes
- Use Granular IAM Policies: Assign the least privilege necessary to Kubernetes workloads.
- Monitor IAM Role Usage: Use AWS CloudTrail and IAM Access Analyzer to audit role usage.
- Enable Logging and Auditing: Implement AWS CloudWatch and AWS GuardDuty for security monitoring.
- Automate Role Assignments: Use Infrastructure as Code (IaC) tools like Terraform to manage IRSA configurations.
Conclusion
Implementing AWS IRSA in self-hosted Kubernetes clusters enhances security, scalability, and compliance. By following best practices and leveraging IAM roles efficiently, Kubernetes workloads can securely access AWS resources without using static credentials.