4 min to read

Understanding Amazon EKS Pod Identity Addon

A deep dive into EKS Pod Identity and comparison with IRSA

Featured image

Image-Reference-link


Overview

This post explores EKS Pod Identity Addon, a new feature released by AWS in December 2023 for managing IAM credentials in EKS clusters.

What is EKS Pod Identity?
  • Manages credentials for applications similar to EC2 instance profiles
  • Provides secure credentials through EKS Auth API and agent pods
  • Integrates with Kubernetes API server via Pod Identity Webhook
  • Simplifies AWS permissions management for Kubernetes identities


How It Works

Service Account and IAM Role Connection

Key Components
  • Links Kubernetes service accounts with IAM roles
  • Defines AWS resource permissions in IAM roles
  • Pod Identity Webhook issues web ID tokens
  • Uses STS AssumeRoleWithWebIdentity for temporary credentials


Advantages

Enhanced Security
  • Implements least privilege principle with per-pod IAM roles
  • Reduces credential exposure risk
  • Simplifies credential management with AWS SDK
  • Enables fine-grained access control


Implementation Guide

1. EKS Cluster Setup

2. Create OIDC provider

3. Service Account Configuration

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>

4. Pod Configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    spec:
      serviceAccountName: my-service-account

5. Add IAM Role


IRSA vs Pod Identity Comparison

Feature Comparison Table
  • OIDC Provider:
    • IRSA: Required for each cluster
    • Pod Identity: Not required
  • Role Management:
    • IRSA: Cluster-specific roles
    • Pod Identity: Shared roles across clusters
  • Setup Complexity:
    • IRSA: Moderate (OIDC setup per cluster)
    • Pod Identity: Simpler (Centralized management)


IRSA

sequenceDiagram participant Pod participant ServiceAccount participant TokenVolume participant OIDC_Provider as OIDC Provider participant STS participant AWS_Services as AWS Services Pod->>ServiceAccount: 1. Uses service account ServiceAccount->>TokenVolume: 2. Mounts JWT token TokenVolume->>OIDC_Provider: 3. Presents JWT token OIDC_Provider->>STS: 4. Validates token STS->>OIDC_Provider: 5. Returns temporary credentials OIDC_Provider->>Pod: 6. Makes API calls with temp credentials


Role by Cluster
  • In IRSA, each EKS cluster must create an OpenID Connect (OIDC) ID provider and associate with the cluster.
  • The IAM role is associated with a specific service account in the cluster-specific Kubernetes Namespace.
Detailed Role Management
  • Roles are associated with OIDC issuer URLs that are unique to each cluster, so you must create a separate IAM role for each cluster or service account.
  • For example, an ARN in an IAM role contains an OIDC provider URL associated with the cluster.
Role Scope
  • eks.amazonaws.com/role-arn: arn:aws:iam::(account-id):role/(role-name)
  • Each IAM role is scoped as the OIDC provider in the cluster, making it difficult to share roles across clusters
  • If you have multiple clusters, you must create a separate IAM role for each cluster and associate it with the service account for that cluster.


Pod Identity

sequenceDiagram participant Pod participant Pod_Identity_Agent as Pod Identity Agent participant OIDC_Provider as OIDC Provider participant STS participant AWS_Services as AWS Services Pod->>Pod_Identity_Agent: 1. Requests credentials Note right of Pod_Identity_Agent: Uses pods.eks.amazonaws.com audience Pod_Identity_Agent->>OIDC_Provider: 2. Gets JWT token OIDC_Provider->>STS: 3. Exchanges token for credentials Note right of STS: Validates pod identity claims STS-->>OIDC_Provider: 4. Returns temporary credentials OIDC_Provider-->>Pod_Identity_Agent: 5. Delivers credentials via IMDS endpoint Pod_Identity_Agent->>AWS_Services: 6. Makes API calls with temp credentials


Key Features
  • Sharing Roles Across Clusters
  • Pod ID abstracts the need for cluster-specific OIDC providers
  • A single IAM role that can be shared across multiple EKS clusters is available.
Simplified role management
  • With Pod ID, roles are not linked to a particular OIDC provider or cluster.
  • ID mapping is handled centrally, and Kubernetes service accounts across the cluster can use the same IAM role.
How it works
  • The Pod ID agent add-on serves as a bridge between the Kubernetes Pod and AWS Identification and Access Management (IAM).
  • Pod dynamically takes on the role of IAM without an OIDC provider. This allows for smooth expansion and easier management of access policies.


IMDSv2 Integration

Instance Metadata Service Version 2 (IMDSv2) is a secure version of the AWS EC2 instance’s access to metadata.

IMDSv2 Features
  • Token-based session authentication
  • Enhanced security against SSRF attacks
  • Network hop limits
  • Required header validation

Example IMDSv2 Usage


References