Simplified Cross-Account Access for Amazon EKS

By /

Listen to this Post

Featured Image
Amazon EKS Pod Identity now offers a streamlined way to configure cross-account access for applications running on Amazon Elastic Kubernetes Service (EKS). This enhancement allows seamless permission management for accessing AWS resources (such as S3 buckets or DynamoDB tables) across different accounts.

Key Benefits:

✅ Simplified cross-account permission setup – Just provide the IAM details of the resource account during Pod Identity association.
✅ Automatic temporary credentials – EKS uses IAM role chaining to deliver secure, short-lived credentials to pods at runtime.

This feature is available in all AWS Regions where Amazon EKS is supported.

🔗 Reference: Amazon EKS Pod Identity – AWS

You Should Know:

  1. Setting Up EKS Pod Identity for Cross-Account Access

To configure cross-account access, follow these steps:

Step 1: Create an IAM Role in the Resource Account 

aws iam create-role \ 
--role-name EKSPodIdentityCrossAccountRole \ 
--assume-role-policy-document '{ 
"Version": "2012-10-17", 
"Statement": [{ 
"Effect": "Allow", 
"Principal": { "AWS": "arn:aws:iam::TARGET_ACCOUNT_ID:root" }, 
"Action": "sts:AssumeRole" 
}] 
}'

Step 2: Attach Required Policies to the Role 

aws iam attach-role-policy \ 
--role-name EKSPodIdentityCrossAccountRole \ 
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Step 3: Configure EKS Pod Identity Association

aws eks create-pod-identity-association \ 
--cluster-name my-cluster \ 
--namespace default \ 
--service-account my-service-account \ 
--role-arn arn:aws:iam::RESOURCE_ACCOUNT_ID:role/EKSPodIdentityCrossAccountRole

2. Verifying Pod Permissions

Check if the pod has the correct permissions:

kubectl run --rm -i --tty aws-cli-test \ 
--image=amazon/aws-cli \ 
--restart=Never \ 
--command -- aws sts get-caller-identity

3. Troubleshooting Common Issues

  • Error: “Unable to assume role” → Verify trust policy in the resource account.
  • Pod fails to fetch credentials → Check IAM role association and service account configuration.

What Undercode Say

Cross-account access in EKS simplifies multi-account AWS architectures, reducing manual IAM role management. By leveraging IAM role chaining, AWS ensures secure credential handling without exposing long-term keys.

Additional Linux & AWS Security Commands

  • Check AWS CLI Credentials: 
    aws sts get-caller-identity
  • List EKS Pod Identity Associations: 
    aws eks list-pod-identity-associations --cluster-name my-cluster
  • Audit Kubernetes Service Accounts: 
    kubectl get serviceaccounts --all-namespaces
  • Revoke Temporary Credentials (Linux): 
    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

Prediction

As Kubernetes adoption grows, AWS will likely introduce more automated IAM delegation features, reducing the need for manual role configurations. Expect deeper integration with AWS Organizations for centralized permission management.

Expected Output:

A fully configured EKS cluster with cross-account access, allowing pods to securely interact with resources in different AWS accounts.

IT/Security Reporter URL:

Reported By: Kimmo Isosomppi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: