2 min to read
AWS IRSA (IAM Roles for Service Accounts)
A comprehensive guide to AWS IRSA implementation and workflow
Overview
Today, we’ll explore AWS IRSA (IAM Roles for Service Accounts) and understand how it enables secure AWS service access for pods running in EKS clusters.
What is AWS IRSA?
AWS IAM Roles for Service Accounts (IRSA) is a method of granting access to AWS services using ServiceAccount on a pad running on a Kubernetes cluster managed by AWS EKS (Elastic Kubernetes Service).
So how can I allocate an IAM Role when ServiceAccount is not a resource for AWS?
OpenID Connect, called OIDC, and the Security Token Service, called STS, perform the function.
- Kubernetes ServiceAccounts
- AWS IAM Roles
- OpenID Connect (OIDC)
- Security Token Service (STS)
What is OIDC(OpenID Connect)?
OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that allows users to authenticate with a third-party service using their existing accounts.
It extends OAuth 2.0 authorization to provide user information in addition to tokens.
Create and Verify EKS OIDC Provider
What is ServiceAccount?
ServiceAccount is a Kubernetes resource that represents a service account, which is an identity for an application or a user.
It is used to manage access to resources within a Kubernetes cluster.
Create IAM Role and ServiceAccount
What is STS(Security Token Service)?
STS is a service that provides temporary security credentials for AWS resources.
It is used to manage access to AWS resources securely.
🔄 IRSA Workflow
- This is an example of an application operating on Pod getting AWS S3 bucket list.
- Of course, it is assumed that you have the authority to access other resources inside the EKS (EKS → EKS).
- This authority is usually set to Kubernetes RBAC (Role-Based Access Control).
- Pod sends JWT and IAM Role ARN to AWS STS
- STS requests verification from IAM
- IAM verifies with OIDC Provider
- IAM confirms authorization to STS
- STS provides temporary credentials to Pod
- Pod accesses S3 using temporary credentials
Key Components Explained
OIDC (OpenID Connect)
- Authentication protocol built on OAuth 2.0
- Enables identity verification through JSON Web Tokens
- Facilitates secure token exchange between EKS and AWS
AWS STS (Security Token Service)
- Provides temporary security credentials
- Manages short-term access to AWS resources
- Integrates with IAM roles for secure access
JWT (JSON Web Token)
- Secure method for transmitting information
- Digitally signed for verification
- Uses HMAC algorithm or RSA/ECDSA public/private key pairs
Comments