eksctl create iamserviceaccount: Explained

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

Managing AWS permissions for your Kubernetes workloads running on Amazon EKS can be streamlined with the eksctl create iamserviceaccount command. This command simplifies the process of granting your EKS service accounts the necessary access to AWS resources. Here's how it works:

Step-by-Step Guide

eksctl create iamserviceaccount simplifies the process of granting AWS permissions to Kubernetes service accounts within your EKS cluster. Here's a breakdown:

IAM Role Creation: It generates an IAM role with permissions you specify. This role dictates what AWS resources the service account can interact with.

eksctl create iamserviceaccount \
--name my-service-account \
--namespace my-namespace \
--cluster my-cluster \
--attach-policy-arn arn:aws:iam::...:policy/AmazonS3FullAccess

Trust Relationship: It configures the IAM role to trust the EKS cluster's identity. This allows Kubernetes to assume the role on behalf of the service account.
Service Account Creation: It creates a service account within your specified Kubernetes namespace.
Annotation: It attaches the IAM role's ARN to the service account as an annotation. This annotation is crucial:
```
eks.amazonaws.com/role-arn: arn:aws:iam::...:role/my-iam-role
```
(Optional) AWS Addon: If you're using the aws-iam-authenticator, this annotation is enough. For the newer IRSA (IAM Roles for Service Accounts) system, an additional step is needed:
```
eksctl utils associate-iam-oidc-provider --cluster my-cluster
```
This command sets up the necessary OpenID Connect (OIDC) provider for IRSA.

Now, pods running with this service account can seamlessly leverage the associated IAM role's permissions when accessing AWS services.

Code Example

This code sample shows how to give a Kubernetes service account read-only access to an S3 bucket using eksctl. It creates an IAM role with the necessary policy, a corresponding service account in your cluster, and then deploys a pod that uses this service account to access the S3 bucket. The example includes commands for creating the resources, associating the OIDC provider, deploying a test pod, and verifying the access. Remember to replace the placeholder values with your actual cluster, namespace, and bucket names.

This example demonstrates how to use eksctl create iamserviceaccount to grant a Kubernetes service account read-only access to an S3 bucket.

1. Prerequisites:

An existing EKS cluster named my-cluster.
eksctl and kubectl installed and configured.
An S3 bucket named my-bucket.

2. Create the IAM Service Account:

eksctl create iamserviceaccount \
  --name s3-reader \
  --namespace my-namespace \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

This command:

Creates an IAM role named eksctl-my-cluster-my-namespace-s3-reader-XXXX (XXXX is a random suffix).
Attaches the AmazonS3ReadOnlyAccess policy to the role.
Creates a service account named s3-reader in the my-namespace namespace.
Annotates the service account with the IAM role ARN.

3. Associate OIDC Provider (for IRSA):

eksctl utils associate-iam-oidc-provider --cluster my-cluster

This step is required if your cluster uses IRSA. It configures the OIDC provider for your cluster.

4. Deploy a Pod using the Service Account:

Create a file named pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: my-namespace
spec:
  serviceAccountName: s3-reader
  containers:
  - name: my-container
    image: busybox
    command:
      - sleep
      - "1000"

This pod:

Uses the s3-reader service account.
Runs a simple sleep command (replace with your application logic).

Deploy the pod:

kubectl apply -f pod.yaml

5. Verification:

Exec into the pod:

kubectl exec -it my-pod -n my-namespace -- sh

Try listing the contents of your S3 bucket:

aws s3 ls s3://my-bucket

You should see the contents of your bucket listed, confirming that the service account has read-only access.

Note: Replace placeholders like my-cluster, my-namespace, my-bucket with your actual values.

Additional Notes

Security Best Practices: Always follow the principle of least privilege. Grant only the specific IAM permissions required by your service account. Regularly audit and revoke unnecessary permissions.
Alternatives to eksctl: While eksctl simplifies the process, you can achieve the same results using the AWS CLI and kubectl directly. This provides more granular control but requires a deeper understanding of the underlying mechanisms.
Troubleshooting: If your pods encounter permission issues, double-check the following:
- Correct IAM role ARN annotation on the service account.
- The IAM role has the necessary permissions.
- OIDC provider is correctly associated with your cluster (for IRSA).
Advanced Use Cases:
- Fine-Grained Permissions: You can attach multiple IAM policies to the role for more specific control.
- Dynamic Policy Generation: Tools like kiam can dynamically generate IAM policies based on pod labels, providing more flexibility.
Keep Updated: AWS continuously evolves its services. Stay informed about new features, security best practices, and updates related to EKS and IAM roles for service accounts.
IAM Policy Simulator: Before deploying, use the IAM policy simulator in the AWS console to test and validate your IAM role's permissions. This helps ensure your applications have the intended access without unexpected errors.
Consider aws-iam-authenticator vs. IRSA: While both methods allow pods to assume IAM roles, IRSA is the newer and recommended approach due to its improved security and scalability.
Resource Cleanup: When removing service accounts, remember to delete the associated IAM role to avoid accumulating unused resources. You can use eksctl delete iamserviceaccount for this purpose.

Summary

This command simplifies granting AWS permissions to Kubernetes service accounts in EKS clusters.

Feature	Description
IAM Role Creation	Generates an IAM role with specified permissions for the service account.
Trust Relationship	Configures the IAM role to trust the EKS cluster, allowing role assumption.
Service Account Creation	Creates a service account in the specified Kubernetes namespace.
Annotation	Attaches the IAM role's ARN to the service account as an annotation.
AWS Addon (Optional)	For IRSA, use `eksctl utils associate-iam-oidc-provider` to set up the OIDC provider.

Benefits:

Seamlessly grants AWS permissions to Kubernetes service accounts.
Simplifies interaction between pods and AWS services.

Example:

eksctl create iamserviceaccount \
--name my-service-account \
--namespace my-namespace \
--cluster my-cluster \
--attach-policy-arn arn:aws:iam::...:policy/AmazonS3FullAccess

Note: The eks.amazonaws.com/role-arn annotation is crucial for both aws-iam-authenticator and IRSA.

Conclusion

In conclusion, eksctl create iamserviceaccount is a valuable tool for simplifying AWS permissions management in EKS environments. By automating the creation of IAM roles, trust relationships, service accounts, and annotations, it streamlines the process of granting pods the necessary access to AWS resources. Understanding its capabilities and following security best practices empowers developers to securely integrate their Kubernetes workloads with AWS services.

References

kubernetes - What does "eksctl create iamserviceaccount" do under ... | Jan 28, 2021 ... What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster? ... terraform . Does eksctl command do anything other than ...
Problem with Dgraph helm chart serviceAccount creation - Dgraph ... | What I want to do I want a K8s service account to be created by proper setting in Dgraph’s helm chart values.yaml file. What I did I used helm chart to install Dgraph in EKS cluster. The serviceAccount config in values.yaml Dgraph Helm Chart Values doesn’t create the K8s service account when it’s been installed though the attribute create is set as true. Both version, v21.12.0 and v23.0.1 failed. Here is my settings. serviceAccount: create: true annotations: eks.amazonaws.com/role-a...
eks - NodeCreationFailure: Instances failed to join the kubernetes ... | Apr 2, 2022 ... What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster? ... EKS Kubernetes cluster using Terraform, but now I do ...
On Amazon EKS and cluster add-ons | by Dirk Michel | Medium | Why you should consider running cluster add-ons on AWS Fargate serverless compute.
I created an Amazon EKS Kubernetes cluster using Terraform, but ... | Sep 7, 2024 ... What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster? 2 · kubectl asking for username (k8s cluster created via kops) ...
Introducing fine-grained IAM roles for service accounts | AWS Open ... | Here at AWS we focus first and foremost on customer needs. In the context of access control in Amazon EKS, you asked in issue #23 of our public container roadmap for fine-grained IAM roles in EKS. To address this need, the community came up with a number of open source solutions, such as kube2iam, kiam, […]
Unlock High-Speed Access to Amazon S3 Objects from Kubernetes ... | During re:Invent 2023, AWS has made Mountpoint for Amazon S3 Container Storage Interface (CSI) driver generally available. Amazon S3 CSI…
Amazon Web Services Connection — apache-airflow-providers ... | This command will use an existing EKS Cluster ID and create an IAM role, service account and namespace. eksctl create iamserviceaccount --cluster="< ...
Deployment of 2048 Game via EKS Cluster Using Ingress | by ... | We will configure and deploy our sample application i.e 2048 Game on AWS EKS Cluster using Helm Chart