EKS pod Identity Agent

The introduction of Amazon EKS Pod Identities at last year's AWS re:Invent conference has provided an interesting new way to help manage Kubernetes permissions. This feature enhances container orchestration by streamlining the process of managing access to resources. This development is especially significant for those dealing with the complexities of IAM (Identity and Access Management) in Elastic Kubernetes Service (EKS). IAM management in EKS has been historically tricky, especially with the growing use of microservices. Amazon EKS Pod Identities offers an easier way to manage it and a secure approach to tackling permission challenges within deployments.

Traditionally, managing IAM within EKS has been notably fiddly, often facing the challenge of credential distribution and management hurdles. These challenges not only complicate operations but also pose security risks. This feature simplifies the process by directly linking Kubernetes service accounts with AWS IAM roles, ensuring EKS applications have more manageable and safer access to necessary AWS services.

Understanding Amazon EKS Pod Identities

Amazon EKS Pod Identities is the new way of managing IAM credentials in AWS Kubernetes environments. It's a departure from the traditional approach of credential management and creates a direct connection between IAM roles and Kubernetes service accounts. This new feature simplifies the management of credentials and provides a more secure approach for Kubernetes environments.

In the past, AWS credentials were assigned directly to individual containers or based on the roles assigned to Amazon EC2 instances. While commonly used, this method often involved complex management processes and posed security risks due to the manual handling and distribution of credentials. For instance, an application that required access to an S3 bucket would need AWS credentials manually injected into its environment, which raised concerns about secure credential storage and the difficulty of managing these permissions across multiple containers or services.

This new approach simplifies IAM credential management by eliminating manual handling. Applications are linked to a Kubernetes service account with the necessary IAM role, streamlining authentication with AWS services and enhancing security. EKS Pod Identities enables seamless IAM permission inheritance for applications within Pods, following secure cloud-native development principles.

Key Benefits of EKS Pod Identities:

- Simplified Credential Management: This feature significantly reduces the complexity of managing IAM credentials in a Kubernetes environment.
- Security Enhancement: It adheres to the principle of least privilege, thereby reducing the risk of unauthorized access.
- Operational Efficiency: EKS Pod Identities are easier to manage than traditional IAM roles for service accounts, offering scalability and reducing credential load.

Getting started with EKS Pod Identities

Before initiating the setup, ensure you have an operational Amazon EKS cluster. The node role in your cluster must have permission to execute the AssumeRoleForPodIdentity action via the EKS Auth API. This can be done using the AWS managed policy AmazonEKSWorkerNodePolicy or by adding a custom policy resembling the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks-auth:AssumeRoleForPodIdentity",
            ],
            "Resource": "*"
        }
    ]
}

Remember, this action can be tagged-specific to restrict which roles can be assumed by pods utilizing the agent.

To incorporate EKS Pod Identities into your Kubernetes environment, you can use either the AWS CLI or the AWS Management Console. The first step involves installing the EKS Pod Identity Agent. Replace the-cluster with your cluster's name in the command:

aws eks create-addon - cluster-name the-cluster - addon-name eks-pod-identity-agent - addon-version v1.0.0-eksbuild.1

After installing the EKS Pod Identity Agent, verify its active status in your cluster using:

kubectl get pods -n kube-system | grep 'eks-pod-identity-agent'

Alternatively, you can also use access the AWS Console by visiting this URL or clicking on the EKS section in the navigation menu, and then follow these steps:

1. Selecting Your Cluster: In the console, navigate to the left-hand pane and click on Clusters. Then, select the cluster you wish to configure from the list of available clusters for the EKS Pod Identity Agent.
2. Navigating to Add-ons: Once you’ve selected your cluster, find the ‘Add-ons’ tab. This section is dedicated to managing various add-ons for your EKS cluster.
3. Checking for Updates: If there’s an update available for the EKS Pod Identity Agent, you’ll see an ‘Update version’ button. This is crucial to ensure your cluster runs the latest version of the add-on, benefiting from the latest features and security enhancements.
4. Updating the Agent: Click on update versionto proceed. You will be directed to the Configure Amazon EKS Pod Identity Agent page. Select the desired version from the dropdown list under Version. It’s recommended to always opt for the most recent version for optimal performance and security, depending on your deployment of course.
5. Saving Changes: After selecting the new version, click saves changes to apply the update to your cluster. This process might take a few seconds to a minute. It’s important to wait for this update process to complete fully.
6. Verifying the Update: Once the update process is complete, verify the status of the add-on. A successful update will be reflected in the ‘Status’ section, confirming that your EKS cluster is now running the updated version of the EKS Pod Identity Agent.

Configuring an Amazon EKS Pod Identity for DynamoDB

In this example, we will configure a Kubernetes service account in Amazon EKS to assume an IAM role using EKS Pod Identity. This setup will enable any Pods associated with this service account to access Amazon DynamoDB.

First, create an IAM policy that grants the required permissions for accessing DynamoDB. For instance, suppose you want to grant read and write access to a specific DynamoDB table. Your policy might look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:region:account-id:table/your-table-name"
        }
    ]
}

Create this policy using the AWS CLI:

aws iam create-policy --policy-name my-dynamo-policy --policy-document file://my-policy.json

Create a trust policy file (trust-relationship.json) that allows the EKS Pod Identity to assume the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Then, create the IAM role

aws iam create-role --role-name my-dynamo-role --assume-role-policy-document file://trust-relationship.json --description "Role for DynamoDB access from EKS Pods"

Attach the DynamoDB policy to your role

aws iam attach-role-policy --role-name my-dynamo-role --policy-arn=arn:aws:iam::account-id:policy/my-dynamo-policy

Create the EKS Pod Identity association

aws eks create-pod-identity-association --cluster-name my-cluster --role-arn arn:aws:iam::account-id:role/my-dynamo-role --namespace default --service-account my-dynamo-service-account

Verify that the role and service account are correctly configured by checking the IAM role’s trust policy:

aws iam get-role --role-name my-dynamo-role --query Role.AssumeRolePolicyDocument

lastly, confirm the attached policy

aws iam list-attached-role-policies --role-name my-dynamo-role --query AttachedPolicies[].PolicyArn --output text

Final Thoughts

The launch of Amazon EKS Pod Identities represents a step forward in addressing the issues around IAM management in EKS. This feature makes managing the IAM process for EKS a bit easier, ensuring that apps deployed to the EKS environment operate more securely and efficiently.

If you want better traceability and troubleshooting for your Kubernetes deployments, sign up for a free Lumigo account. Our Kubernetes operator enables automatic tracing of applications deployed to namespaces without requiring sidecars or cumbersome deployments.

If this post has been helpful or you found it interesting, please share it with your network; better still, share your thoughts and give us a like/clap/kudos.