1. Create EKS Cluster
2. Create IAM OIDC Provider
- Open the Amazon EKS console
- In the left pane, select Clusters, and then select the name of your cluster on the Clusters page.
- In the Details section on the Overview tab, note the value of the OpenID Connect provider URL.
- Open the IAM console
- In the left navigation pane, choose Identity Providers under Access management. If a Provider is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn’t listed that matches the URL for your cluster, then you must create one.
- To create a provider, choose Add provider
- For Provider type, select OpenID Connect.
- For Provider URL, enter the OIDC provider URL for your cluster, and then choose Get thumbprint.
- For Audience, enterÂ
sts.amazonaws.com
 and choose Add provider.
3. Create S3 Bucket
If you dont have s3 bucket then create the s3 bucket.
- Create S3 Bucket
3. Configure kubernetes service account to assume an IAM Role
1. Create IAM policy for S3 Bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket"
}
]
}
4. Create IAM role and Service account:
1. Create service account:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: default
kubectl apply -f irsa-sa.yaml
2. Create role and attach IAM policy that you have created in the step 3:
1. create the trust-relationship.json file
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"$oidc_provider:aud": "sts.amazonaws.com",
"$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
}
}
}
]
}
2. Create IAM Role
aws iam create-role --role-name my-role --assume-role-policy-document file://trust-relationship.json --description "my-role-description"
3. Attach IAM policy to the Role
aws iam attach-role-policy --role-name my-role --policy-arn=arn:aws:iam::$account_id:policy/my-policy
5. Annotate your service account with the Amazon Resource Name (ARN) of the IAM role that you want the service account to assume.Â
kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn=arn:aws:iam::$account_id:role/my-role
6. Assign Service Account to pod:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: my-service-account
containers:
- name: my-app
image: public.ecr.aws/nginx/nginx:X.XX