Amazon EKS Pod Identity simplifies AWS IAM permissions for applications on Amazon EKS clusters

Introduction

Amazon EKS Pod Identity is a service that simplifies AWS Identity and Access Management (IAM) permissions for applications running on Amazon Elastic Kubernetes Service (EKS) clusters. Amazon EKS is a fully managed Kubernetes service that makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS.

In a typical Kubernetes environment, pod applications often must interact with other AWS services, such as Amazon S3, Amazon DynamoDB, or others. Managing AWS IAM permissions for these applications can be complex, as it involves creating and managing AWS IAM roles, policies, and credentials.

Amazon EKS Pod Identity addresses this challenge by providing a way to associate AWS IAM roles directly with Kubernetes service accounts. This association allows applications running in Amazon EKS pods to assume AWS IAM roles seamlessly without requiring developers to manage AWS credentials directly within the application code or configuration.

Specific ways that Amazon EKS Pod Identity simplifies AWS IAM permissions for applications:

• Automatic role assignment: Amazon EKS Pod Identity automatically assigns the appropriate AWS IAM role to each pod based on the service account it is running under.
• Short-lived credentials: Amazon EKS Pod Identity issues short-lived temporary credentials to pods, which expire automatically after a specified time.
• Limited access: Amazon EKS Pod Identity grants pods only the minimum permissions they need to access AWS resources.

Key benefits of using Amazon EKS Pod Identity

Simplified AWS IAM permissions management:

• Amazon EKS Pod Identity automatically maps Kubernetes service accounts to AWS IAM roles, eliminating the need to manually configure AWS IAM policies and credentials for each pod.
• You can reuse AWS IAM roles across multiple clusters, further simplifying policy management.
• You no longer need to store long-term credentials within your pods, reducing the attack surface and risk of credential compromise.

Improved security:

• Amazon EKS Pod Identity uses short-lived temporary credentials that expire automatically, reducing the risk of stolen credentials being used to access AWS resources.
• The Amazon EKS Pod Identity Agent is a Kubernetes DaemonSet that runs on your nodes with limited permissions, further enhancing security.

Increased scalability:

• Amazon EKS Pod Identity can easily scale to support thousands of pods, making it ideal for large-scale microservices architectures.

Integration with existing tools:

• Amazon EKS Pod Identity integrates with existing AWS IAM workflows and tools, making it easy to adopt and use.

Reduced operational overhead:

• Amazon EKS Pod Identity reduces the operational overhead of managing AWS IAM permissions for your applications, freeing up your time to focus on other tasks.

Add AWS IAM permissions for application on Amazon EKS Cluster for Amazon EKS Pod Identity

In this demonstration, we will configure permissions for a basic API deployed on the Amazon EKS cluster. This API is designed to fetch and display the list of files from the Amazon Simple Storage Service (Amazon S3) bucket.

Initially, we need the AWS IAM role to grant the necessary permissions for the applications to function correctly. Specifically, it is to configure permissions that enable access to the Amazon S3 bucket.

To enable the proper functioning of applications, it is necessary to establish an AWS IAM role with configured permissions. In this context, the trust policy must be configured with the principal set to pods.eks.amazonaws.com.

An existing Amazon EKS cluster configures the Amazon EKS Pod Identity Agent in the cluster. Navigating to the Amazon EKS dashboard, the Amazon EKS cluster is selected.

On the EKS cluster page, the Add-ons tab is accessed, and the option to acquire additional add-ons is chosen. The specific add-on added is the Amazon EKS Pod Identity Agent.

In the next step, additional configurations can be added if required. The default settings are retained for this scenario, and the process moves to the next stage.

The add-on configuration is reviewed, and the option to create is selected. After a brief duration, the Amazon EKS Pod Identity Agent add-on is activated for the cluster.

After deploying Amazon EKS Pod Identity in the cluster, the next step is to link the AWS IAM role to Kubernetes pods.

To accomplish this, navigate to the Access tab in the Amazon EKS cluster. In the Pod Identity associations section, opt for Create Pod Identity association to map the AWS IAM role to Kubernetes pods.

Utilize the AWS IAM role created earlier and specify the Kubernetes namespace and service account. If the namespace and service account doesn’t exist, provide their names; otherwise, select from the dropdown. Subsequently, choose Create.

With these steps, AWS IAM permissions for applications on Amazon EKS are configured using Amazon EKS Pod Identity. Verify the association by checking that the AWS IAM role is listed in Pod Identity associations.

When testing API on Amazon EKS, it functions as intended and successfully retrieves the list of files from my Amazon S3 bucket.

To integrate AWS IAM roles with your Kubernetes pods, a common approach is to map the AWS IAM role to the pods using AWS APIs with the below command.

Conclusion

Amazon EKS Pod Identity proves to be a valuable tool for simplifying AWS IAM permissions in Amazon EKS clusters. Seamlessly integrating AWS IAM roles with Kubernetes service accounts streamlines the process of managing application permissions. This enhances security by following the principle of least privilege and provides a more consistent and developer-friendly experience.

In summary, Amazon EKS Pod Identity is a robust solution that reduces the complexity of AWS IAM permission management and improves the overall security and operational aspects of running applications on Amazon EKS.

Drop a query if you have any questions regarding Amazon EKS Pod Identity and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings