Create IAM Role for Service Account (IRSA) in AWS EKS Cluster

1. Create EKS Cluster

2. Create IAM OIDC Provider

1. Open the Amazon EKS console
2. In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.
3. In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.
4. Open the IAM console
5. In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn’t listed that matches the URL for your cluster, then you must create one.
6. To create a provider, choose Add provider
7. For Provider type, select OpenID Connect.
8. For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.
9. For Audience, enter sts.amazonaws.com and choose Add provider.

3. Create S3 Bucket

If you dont have s3 bucket then create the s3 bucket.

1. Create S3 Bucket

3. Configure kubernetes service account to assume an IAM Role

1. Create IAM policy for S3 Bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement",
            "Effect": "Allow",
            "Action": [
            	"s3:ListBucket",
            	"s3:GetObject",
            	"s3:GetObjectVersion"
            ],
            "Resource": [
            	"arn:aws:s3:::my-s3-bucket"
        }
    ]
}

4. Create IAM role and Service account:

1. Create service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default

kubectl apply -f irsa-sa.yaml

2. Create role and attach IAM policy that you have created in the step 3:

1. create the trust-relationship.json file

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "$oidc_provider:aud": "sts.amazonaws.com",
          "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
        }
      }
    }
  ]
}

2. Create IAM Role

aws iam create-role --role-name my-role --assume-role-policy-document file://trust-relationship.json --description "my-role-description"

3. Attach IAM policy to the Role

aws iam attach-role-policy --role-name my-role --policy-arn=arn:aws:iam::$account_id:policy/my-policy

5. Annotate your service account with the Amazon Resource Name (ARN) of the IAM role that you want the service account to assume. 

kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn=arn:aws:iam::$account_id:role/my-role

6. Assign Service Account to pod:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: my-service-account
      containers:
      - name: my-app
        image: public.ecr.aws/nginx/nginx:X.XX