Listen to this Post
Containers running in your Elastic Kubernetes Service (EKS) often need to interact with AWS resources, requiring IAM permissions. The latest approach to managing these permissions is EKS Pod Identities, which simplifies the process compared to the older IAM Roles for Service Accounts (IRSA) method.
With EKS Pod Identities, a credential provider agent runs in your cluster, handling temporary access credentials for pods. Unlike IRSA, this method doesn’t require OIDC configuration, and roles can be reused across multiple clusters.
Anvesh Muppeda provides practical examples for setting this up using EKSCTL and CloudFormation:
🔗 A Hands-On Guide to AWS EKS Pod Identity
You Should Know:
1. Setting Up EKS Pod Identity with EKSCTL
To configure EKS Pod Identity using eksctl, follow these steps:
Install eksctl (if not already installed) curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin Create an EKS cluster with pod identity enabled eksctl create cluster --name=pod-identity-demo --region=us-west-2 --with-oidc --enable-pod-identity Associate an IAM role with a Kubernetes service account eksctl create podidentityassociation \ --cluster pod-identity-demo \ --namespace default \ --service-account-name my-service-account \ --role-arn arn:aws:iam::123456789012:role/my-pod-role \ --permission-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
2. Deploying the Pod Identity Agent
AWS provides a Pod Identity Agent that must be installed in your cluster:
Add the EKS Pod Identity Helm repo helm repo add eks https://aws.github.io/eks-charts Install the agent helm install pod-identity-agent eks/pod-identity-agent \ --namespace kube-system \ --set clusterName=pod-identity-demo
3. Assigning IAM Permissions via CloudFormation
Here’s a CloudFormation template snippet to create an IAM role for pod identity:
Resources: PodIdentityRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: pods.eks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
4. Verifying Pod Identity in Kubernetes
Check if the pod has assumed the correct IAM role:
kubectl run test-pod --image=amazon/aws-cli --command -- sleep infinity kubectl exec -it test-pod -- aws sts get-caller-identity
What Undercode Say:
EKS Pod Identities streamline AWS IAM permissions for Kubernetes workloads, eliminating OIDC complexities. Key takeaways:
– Simplified Role Management – Reuse IAM roles across clusters.
– No OIDC Hassle – Avoid IRSA’s dependency on OpenID Connect.
– Temporary Credentials – Enhanced security with short-lived tokens.
For deeper AWS security, consider these Linux & AWS CLI commands:
List all IAM roles in AWS aws iam list-roles Check if OIDC provider exists for EKS aws eks describe-cluster --name pod-identity-demo --query "cluster.identity.oidc.issuer" Inspect Kubernetes service account kubectl describe sa my-service-account -n default
Expected Output:
{
"UserId": "AROAEXAMPLE123:test-pod",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/my-pod-role/test-pod"
}
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
