Nestor Abad
ServiceNow Employee
ServiceNow Employee

We can associate a specific role to the pod running the containerized MID Server in order to control the access to the cloud resources. While is not possible to associate directly the role to the pod, we can create a service account that contains the required role and associated it to our deployment. 

 

To do so, we first need to check whether we are using an OpenID Connect provider (OIDC). 

 

We can execute the following command to get the information in a variable: 

 

 

 

oidc_id=$(aws eks describe-cluster --name containerized-mid-server-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) 

 

 

 

Make sure update the cluster name to the corresponding one, and then query the value of the parameter: 

 

 

 

aws iam list-open-id-connect-providers | grep $oidc_id 

 

 

 

If the execution of the command returns an ID (as per figure below, then there is already an IAM Provider associated and there is no create a new one.

 

NestorAbad_0-1684241285050.png

 

If the return is void, we will have to create a new one. To do so, we execute command: 

 

 

 

eksctl utils associate-iam-oidc-provider --cluster containerized-mid-server-cluster --approve 

 

 

Once the IAM OIDC provider is associated to the cluster, we can create the role we require for the pod. 

 

 

 

eksctl create iamserviceaccount --name <serviceaccountname> --namespace <namespace> --cluster <cluster_name> --role-name "<iamrolename>"  --attach-policy-arn <iam_policy_arn> --approve 

 

 

 

From the command above, the parameters are as follows: 

  •  serviceaccountname>: name we give to our service account. 
  • <namespace>: namespace where to create the service account. 
  • <cluster_name>: name of the cluster. 
  • <iamrolename>: name of the role 
  • <iam_policy_arn>: ARN identifier of the policy you want to add to the role. In my case I use ReadOnlyAccess, but you can add as many as required. 

NestorAbad_1-1684241369057.png

 

You can check that the service account was correctly added by executing: 

 

 

kubectl get serviceaccounts -n containerized-mid-server-cluster 

 

 

 

NestorAbad_2-1684241408471.png

 

Once the service account is created, you can modify the deployment file and include the service account parameter. 

 

 

 

apiVersion: apps/v1 

kind: Deployment 

... 

    spec: 

      serviceAccountName: "is1-service-account" 

      containers: 

        - name: containerized-mid-server-cluster 

          imagePullPolicy: IfNotPresent 

          image: XXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/containerized_mid_server:latest 

... 

 

 

 

Then apply the deployment (as per

 

 

 

See the Containerized MID Server series:

 

References

Assign an aws IAM Role to an EKS pod 

Deploying a containerized MID server in a Kubernetes cluster 

Version history
Last update:
‎06-05-2023 01:49 AM
Updated by:
Contributors