Member-only story
EKS Pod— Service Account with IAM Role
Provide granular IAM permission to AWS Services
Overview
With introduction of IAM permissions to Kubernetes service accounts in EKS, AWS provides fine-grained, pod level access control when running clusters with multiple co-located services.
Previously, when running a Kubernetes cluster on AWS, you could only associate IAM roles to an EC2 node in the cluster, and every pod that ran on the node inherited the same IAM role. This made it hard to run pods with different access control requirements on the same set of nodes.
The IAM roles for service accounts feature is available on new Amazon EKS Kubernetes version 1.14 and later clusters.
IAM ROLE
The first step is to create IAM role with trust relationship and the permission needed for the pod.
Creation of trust relationship requires an OIDC_PROVIDER. It is available from AWS Console — Amazon Container Services -> Clusters
Now create the IAM role from AWS -> IAM -> Roles,
Next select permission and I select AWS Managed Policy ViewOnly.
