I have an Amazon EKS Cluster in which I am deploying ExternalSecrets. I do the deployment of our cluster using IaC (Terraform). Now I want to be able to use
this methodology to allow my new service pods to assume any AWS role for my AWS account and pull the Secrets. I create IAM Roles in terraform files using kube2iam. Any help how I can achieve this? I have added the doc to this as well. Documentation
Related
I have an EKS cluster where my aws-auth configmap has the aws roles to access the cluster. However, the aws roles mapped to it are all deleted. Now I cannot connect to the cluster.
I tried creating the same roles with the same name but because it was AWS SSO created role, I cannot re-use the name. AWS doesn't allow it.
Can someone please help me out of this please?
You can find previous SSO role name from cloudtrail event logs. Once you find the exact name create the iam role with same name.
I've created an EKS cluster with an IAM role and I'm trying to access the cluster from my CI build agent which is present in a different account.
My CI build ec2 instance is not being to able identify the EKS cluster when I attach an Instance profile and a trust relationship with the role used to create the EKS cluster.
But when I go with User authentication, I'm getting the expected output.
I want it to be accessible with the IAM role instead of the IAM User.
Any thoughts or help would be appreciated.
Note: The EKS cluster is created using Terraform with an Assume role authentication.
Followed this link: Enabling cross-account access to Amazon EKS cluster resources
I can make a pod in an Amazon EKS cluster hosted in ci account interact and manage the AWS resources in a target account.
This is the aws config file:
[profile ci-env]
role_arn = arn:aws-cn:iam::CICD_ACCOUNT:role/eksctl-jenkins-cicd-demo-addon-iamserviceacc-Role1-1AQZO394370HE
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
region = cn-north-1
[profile target-env]
role_arn = arn:aws-cn:iam::TARGET_ACCOUNT:role/target-account-iam-role
source_profile = ci-env
role_session_name = xactarget
region = cn-north-1
When I run aws s3 ls --profile target-env, it worked and listed the s3 buckets in my target account.
Then, I want to deploy a cdk app on ci account which can create s3 bucket on target account.
But When I run cdk deploy --profile target-env, it appeared:
Need to perform AWS calls for account TARGET_ACCOUNT, but no credentials have been configured.
I am very confused and don't know how to solve it.
I am a beginner of aws service, thanks advance for helping me!
You need to bootstrap all of your (target) accounts to trust the CICD account.
Otherwise, you would have to create and manage the cross-account access by yourself.
IAM Roles + Policies (in all accounts)
S3 Bucket for artifacts + bucket policies (in CICD account)
Key Management Service -> Customer Managed Key + Policies to allow the target accounts
You can spot here an example architecture, which is applying that:
If it's possible for you, you might switch to the CDK Pipelines.
In this guide, also the bootstrapping (incl. trusting) is being applied and every step/resource mentioned from above is being created and properly configured.
It has a few drawbacks as of now, but it's in developer preview and has a quite decent usability and makes your life a lot easier already.
I'm trying to use AWS cli commands inside the container.
I have given policy within ECS cluster instance but it seems the container comes up with error as it tries to call AWS CLI command inside the container as an entrypoint when it boots and fails.
My IAM role with Instance Profile allows to do KMS get and decrypt which is what I need for the AWS CLI operations
Is there a way to pass credentials like instance profile inside ECS task container?
To pass a role to your caontainer(s) in a task you can use IAM Roles for Tasks:
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.
I have a EKS cluster created with eksctl cli tool.
Now the user or role which was used to create the EKS cluster got deleted from AWS IAM and I haven't added any other user the permission to access Kubernetes resources inside the cluster.
I have admin access to my AWS account. Is there a way to get the access to kubernetes cluster resources running inside EKS?
I tried the solution provided in the below article and it didn't workout as the IAM user and role was deleted from AWS: https://aws.amazon.com/premiumsupport/knowledge-center/amazon-eks-cluster-access/
Help would be appreciated. Thanks
I believe there is a simple solution:
Simply create the IAM User or IAM Role with the same name as previously used for the cluster. Then generate and export User credentials or assume the IAM Role.
Then simply run
aws eks update-kubeconfig --name ${cluster_name}
and then you should be able to perform actions against API using kubectl.