AWS EKS and the Least Privilege Principle

  1. Both applications are hosted in a single AWS Elastic Kubernetes Service (EKS) managed cluster.
  2. Application A needs access to AWS S3 and Application B needs access to AWS DynamoDB.
  3. Cluster is launched by a common DevOps team.
  4. To follow the best practices in terms of giving the access, DevOps team creates AWS IAM Role and assigns S3 and DynamoDB access permissions to it.
  5. The IAM role is assumed by the EC2 worker nodes.

IRSA solution leverages quite a few concepts to implement the least privilege principle —

  1. Mutating Admission Controller webhook to manipulate the Pod manifest file when API Server gets a request to create new Pod.
  2. Kubernetes native Service Accounts (SA) resource to pass secure token to the Application. SA is annotated with IAM role to be assumed.
  3. Open ID Connect (OIDC) Federation to assume IAM roles via AWS Security Token Service (STS)
  4. AssumeRoleWithWebIdentity construct to get temporary IAM credentials in exchange of a token issued by OpenID Connect provider.

Let us understand what is expected from the end user to make it work as expected —

1. Assuming EKS cluster is already set-up, create an Open ID Connect Provider with the Issuer URL which is linked to your EKS Cluster.

> ISSUER_URL=$(aws eks describe-cluster --name cluster_name --query cluster.identity.oidc.issuer --output text)
Trust Relationship of the Role -{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxx444:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/xxxxxxxx123"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-2.amazonaws.com/id/xxxxxxxx123:sub": "system:serviceaccount:default:Application-A-serviceaccount",
"oidc.eks.us-east-2.amazonaws.com/id/xxxxxxxx123:aud": "sts.amazonaws.com"
}
}
}
]
}
apiVersion: v1 
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxxx444:role/s3-readonly-role
name: Application-A-serviceaccount
namespace: default
secrets:
- name: Application-A-serviceaccount-token-xxxxx
apiVersion: v1
kind: Pod
metadata:
name: Application-A
spec:
containers:
- image: amazon/aws-cli:latest
command: ["/bin/sh"]
args: ["-c", "sleep 1000"]
name: Application-A
serviceAccountName: Application-A-serviceaccount
  1. Mutating Admission Controller running in EKS calls EKS Pod Identity Webhook which injects 2 environment variables — AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE in the Pod manifest file and also mounts a volume with name aws-iam-token.
  2. AWS_ROLE_ARN contains the Role ARN which was configured in Step #2 in the earlier section.
  3. AWS_WEB_IDENTITY_TOKEN_FILE contains location of the JWT token which was issued by the EKS cluster’s OIDC endpoint.
  4. aws-iam-token is the projected volume which contains details of the JWT token like path, expiry time, target audience, etc. For details, see here.
apiVersion: v1
kind: Pod
metadata:
name: Application-A
spec:
containers:
- args:
- -c
- sleep 1000
command:
- /bin/sh
env:
- name: AWS_ROLE_ARN
value: arn:aws:iam::xxxx444:role/s3-readonly-role
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
image: amazon/aws-cli:latest
name: Application-A
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: Application-A-serviceaccount-token-xxxxx
readOnly: true
- mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
name: aws-iam-token
readOnly: true
serviceAccountName: Application-A-serviceaccount
volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 86400
path: token
- name: Application-A-serviceaccount-token-xxxxx
secret:
defaultMode: 420
secretName: Application-A-serviceaccount-token-xxxxx

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Naresh Waswani

Naresh Waswani

#AWS #CloudArchitect #CloudMigration #Microservices #Mobility #IoT