Cross Account EKS Cluster Access with AWS IAM roles
Some times back I came across a use case when I have to access a EKS cluster from another. You can think that your code deployed on a pod in one cluster creates or accesses resource in another.
In this post I am calling them Dev & Shared Services cluster and Shared Services cluster needs access to Dev ( or Integration, QA, Prod ! )
This can be achieved by assigning role to pod running in Shared Services account and properly plumbing in the roles on both accounts.
In dev Account cluster
Add Policyarn:aws:iam::<DevAccount>:policy/testpolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*" #scope down to cluster resource urn
}
]
}And role - to establish trust relationship with Shared services. This is allowing <SSAccount>:role to Assume role in dev clusterarn:aws:iam::<DevAccount>:role/testrole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SSAccount>:role/<rolename>"
},
"Action": "sts:AssumeRole",
"Condition": {} }
]
}
Attach above policy to this role.
In Shared Services
arn:aws:iam::<SSAccount>:role/<rolename>This role is assigned to the pod service account following https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html. The trust relationship for this role should look like this:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<SSAccount>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/<cluster id>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/<cluster id>:sub": "system:serviceaccount:<eks ns>:<service account>"
}
}
}
]
}Add this policy to above role to enable assume dev role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": arn:aws:iam::<DevAccount>:role/testrole
}
]
}Use kubernetes config file with this section to get a token for authentication with an Amazon EKS cluster. This token is valid for 15 mins max.( https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html )user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws
args:
- eks
- get-token
- --cluster-name
- <cluster-name>
- --role
- arn:aws:iam::<DevAccount>:role/testrole}
If you interested to understand how token is generated follow along this linkhttps://github.com/aws/aws-cli/blob/v2/awscli/customizations/eks/get_token.py
Modify Dev Cluster aws-auth config to map IAM role to K8s RBAC
(Follow https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
Wisely choose the role https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings)
data:
mapRoles: !
<existing roles>
- rolearn: arn:aws:iam::<DevAccount>:role/testrole
username: test #name does not matter
groups:
-system:mastersEnsure that you have AWS cli and kubectl installed on the pod.
Now access dev cluster from Shared services pod by using kubectl !
Note
This was written when AWS documentation did not mention cross account use case. This article use “chained AssumeRole” mechanism as mentioned in the docs now.
https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html