MENU

Fun & Interesting

How to Connect EKS Pods to AWS Services with EKS Pod Identity. #devops #aws #eks #pods

Rohan Rustagi 477 2 months ago
Video Not Working? Fix It Now

[ Interview Question ] How to Connect EKS Pods to AWS Services with EKS Pod Identity. #devops #aws #eks #pods Timestamps: Theory/Concepts : 00:00 Hands on/Practical demo : 07:00 github repo : https://github.com/RohanRusta21/eks-pod-identity-demo https://github.com/RohanRusta21/EKSCTL-DEMO-TODO Concepts : How to Connect EKS Pods to AWS Services with EKS Pod Identity. What is EKS Pod Identity? Applications in a Pod’s containers can use the AWS SDK or CLI to make API requests to AWS services with IAM permissions. For example, they might upload files to S3 or query DynamoDB. EKS Pod Identities manage these credentials, similar to EC2 Instance Profiles. Instead of distributing AWS credentials manually, you can associate an IAM role with a Kubernetes Service Account and configure your Pods with it. Benefit of EKS Pod Identity: Least privilege – You can scope IAM permissions to a service account, so only Pods using that service account have access to those permissions. This eliminates the need for third-party solutions like kiam or kube2iam. Credential isolation – A Pod’s containers can only retrieve credentials for the IAM role associated with the service account they use. Containers never have access to credentials used by other containers in other Pods. Auditability – Access and event logging are available through AWS CloudTrail to facilitate retrospective auditing. Independent operations – In many organizations, creating OIDC identity providers is the responsibility of different teams than administering Kubernetes clusters. EKS Pod Identity ensures a clean separation of duties, with all configuration of EKS Pod Identity associations done in Amazon EKS and all configuration of IAM permissions done in IAM. Reusability – EKS Pod Identity uses a single IAM principal instead of separate principals for each cluster that IAM roles for service accounts use. Your IAM administrator adds the following principal to the trust policy of any role to make it usable by EKS Pod Identities. Scalability – Each set of temporary credentials is assumed by the EKS Auth service in EKS Pod Identity, instead of each AWS SDK running in each Pod. Then, the Amazon EKS Pod Identity Agent running on each node issues the credentials to the SDKs. Follow my mentors too : @PavanElthepu @MPrashant @GouravSharma @cloudwithraj @AntonPutra @AbhishekVeeramalla @kubesimplify @kshindi @DevOpsJourney Tags : #prometheus #secrets #docker #k8s #kubernetes #cncf #rbac #serverless #grafana #autoscaling #deployment #opensource #devops #grafana #vault #terraform #kustomize #etcd #controlplane #container #opa #dockerhub #gatekeeper #eks #pods #aws

Comment