AWS IAM Role

IAM roles for service accounts in Amazon EKS enhance security by enabling least privilege access, isolating credentials between Pods, and improving auditability.

AWS security best practices promote the use of EKS Pod identity, for more details see the AWS documentation for EKS Pod Identity and the AWS documentation for IAM Roles for Service Accounts.

1. Create an IAM role in the source account

Select the Custom trust policy as trusted entity type and paste the following trust policy with your account id, your region and your OIDC provider id:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::111111111111:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:causely:causely-mediator",
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

2. Enter the name for the role, for example, CauselyMediation.

3. Register the OIDC provider in the target account

aws iam create-open-id-connect-provider \
    --url "https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" \
    --client-id-list "sts.amazonaws.com" \
    --thumbprint-list "AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT"

4. Create an IAM role in the target account

Select the Custom trust policy as trusted entity type and paste the following trust policy with your source account id:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::222222222222:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:causely:causely-mediator",
          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

5. Enter the name for the role, for example, CauselyAccess

6. Assign the following predefined policy to the role:

• ReadOnlyAccess

Or for more granular access, assign the following predefined policies to the role:

• AmazonEC2ReadOnlyAccess
• AmazonECS_FullAccess
• AmazonMSKReadOnlyAccess
• AmazonRDSReadOnlyAccess
• AWSLambda_ReadOnlyAccess
• ElasticLoadBalancingReadOnly

7. Create the following Kubernetes secret in the same namespace as the Causely mediator:

aws-secret.yaml

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-secret
  namespace: causely
stringData:
  AWS_REGION: region-code
  AWS_ROLE_ARN: arn:aws:iam::222222222222:role/CauselyAccess

8. Update Causely mediator with the following helm values:

causely-values.yaml

mediator:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/CauselyMediation

scrapers:
  aws:
    enabled: true
    accounts:
      - arn: arn:aws:organizations::222222222222:account/o-pyxgi8opc5/123456789012
        secretName: aws-secret