Cross account access to S3 using IRSA in EKS with Terraform as IaaC
We have many options to get cross-account access to resources, but when talking about the Kubernetes cluster, things can get a little bit tricky! So, in this blog, I'll share a solution to do it in the safest way using the principle of least privilege.
A typical scenario is to have two accounts, Account A, with an EKS cluster and Account B with an S3 bucket (example_bucket) that needs to be accessed by a pod from account A. We have many options for this:
We can create a bucket policy with the worker role name of the Kubernetes cluster on it.
We can create an IAM role in Account B, grant the role permissions to perform required S3 operations, assume the role with a trust policy, etc.…
Those are some solutions to access the bucket; however, in the way of getting the access, we grant lots of privileges that we don’t need because we just need to give access to a pod, not to the whole cluster. That’s why AWS provides us with IAM Roles for Service Accounts (IRSA)
IRSA allows us to associate an IAM Role with a Kubernetes service account, and this service account can then grant permissions to any pod that uses it.
Using IRSA has the benefit of using the least privileged recommendation and credential isolations, meaning that the container within the pod can only retrieve credentials for the IAM role associated with the service account to which the pod belongs.
For getting IRSA to work, we need these things:
IAM OIDC provider
The IAM role
And finally, associate the IAM Role with the Kubernetes service account.
So, we're going to grant access to a pod from an EKS cluster in Account A to get an object from an S3 bucket in Account B using IRSA with cross-account access.
Receive Our News!
Pretty interesting, Let’s get our hands dirty!
The diagram below shows what we‘re going to do:
We‘re going to use Terraform as IaaC for this example and Kubernetes YAML for deployment, and Kubernetes service account.