Cultivating Trust and Efficiency: Empowering Applications with Amazon EKS Pod Identity for Secure Access to AWS Services

Introduction to Amazon EKS Pod Identity

Amazon EKS Pod Identity is a service designed to simplify AWS Identity and Access Management (IAM) permissions for applications deployed on Amazon Elastic Kubernetes Service (EKS) clusters. As a fully managed Kubernetes service, Amazon EKS streamlines the deployment, management, and scaling of containerized applications on AWS. user guide

High level Amazon EKS Pod Identity architecture

The Challenge: IAM Permissions in Kubernetes

In a standard Kubernetes environment, pod applications frequently interact with various AWS services like Amazon S3, AWS RSD, and others. Previously , the only way to achieve this was to hardcode IAM credentials in the cluster, or to use the worker node's IAM role—both being highly dangerous and discouraged practice.
Managing AWS IAM permissions for these applications can be complex.
Amazon EKS Pod Identity addresses this challenge by providing a way to associate AWS IAM roles directly with Kubernetes service accounts. This association allows applications running in Amazon EKS pods to assume AWS IAM roles seamlessly without requiring developers to manage AWS credentials directly within the application code or configuration.

How EKS Pod Identity Agent works with a Pod

    env:
    - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
      value: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token"
    - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
      value: "http://169.254.170.23/v1/credentials"
    volumeMounts:
    - mountPath: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/"
      name: eks-pod-identity-token
  volumes:
  - name: eks-pod-identity-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: pods.eks.amazonaws.com
          expirationSeconds: 86400 # 24 hours
          path: eks-pod-identity-token

1. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association, the cluster adds the following above content(code block) to the Pod manifest

2. Kubernetes selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the AssumeRoleForPodIdentity action to retrieve temporary credentials from the EKS Auth API.

3. The EKS Pod Identity Agent makes these credentials available for the AWS SDKs that you run inside your containers.

4. You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the Credential provider chain in the AWS SDKs and Tools Reference Guide.

5. The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials.

Note

If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload.

Benefits of Using EKS Pod Identity

• Simplified AWS credential management: EKS Pod Identity eliminates the need to manage AWS credentials within your application code or container environment variables, streamlining the credential management process.

• Enhanced security: By leveraging AWS Identity and Access Management (IAM) roles, EKS Pod Identity provides fine-grained access control, reducing the risk of unauthorized access and enhancing the overall security of your applications.

• Seamless integration with AWS services: EKS Pod Identity allows your applications running on EKS to seamlessly authenticate and authorize access to various AWS services using IAM roles, eliminating the need for managing access keys or storing sensitive credentials within your application code.

• Simplified deployment and management: EKS Pod Identity is designed to work seamlessly with EKS clusters, making it easy to deploy and configure. This simplifies the deployment and management process, reducing the operational overhead associated with managing AWS credentials.

Overall, EKS Pod Identity provides a convenient and secure way to manage AWS credentials, enhance security, seamlessly integrate with AWS services, and simplify the deployment and management of your applications on EKS clusters.

Real-World Use Cases of EKS Pod Identity

1. Serverless Data Processing: EKS Pod Identity can be used in conjunction with AWS Lambda to enable serverless data processing pipelines. By assigning IAM roles to Lambda functions, you can securely access and process data stored in AWS services like Amazon S3 or DynamoDB within your EKS cluster.

2. Microservices Architecture: In a microservices architecture, EKS Pod Identity can provide secure and granular access to AWS services for each microservice. Each microservice can have its own IAM role associated with its pods, allowing it to access specific AWS resources independently.

3. Machine Learning Workloads: EKS Pod Identity is valuable in machine learning scenarios. It allows training jobs running on EKS to securely access datasets stored in Amazon S3 or retrieve model artifacts from AWS services like Amazon SageMaker.

4. Data Analytics and Business Intelligence: EKS Pod Identity can enable data analytics and business intelligence applications to securely access and process data stored in AWS services. Applications can retrieve and analyze data from sources like Amazon Redshift, Amazon Athena, or Amazon QuickSight within the EKS cluster.

5. Cloud-Native CI/CD Pipelines: EKS Pod Identity can be integrated into cloud-native CI/CD pipelines to ensure secure and authorized access to AWS services during the build, test, and deployment processes. IAM roles associated with pods can be used to authenticate and authorize interaction with resources like AWS CodeCommit, AWS CodeBuild, or AWS CodeDeploy.

Overview of setting up EKS Pod Identities

Turn on EKS Pod Identities by completing the following procedures:

• Setting up the Amazon EKS Pod Identity Agent – You only complete this procedure once for each cluster.

• Configuring a Kubernetes service account to assume an IAM role with EKS Pod Identity – Complete this procedure for each unique set of permissions that you want an application to have.

• Configuring Pods to use a Kubernetes service account – Complete this procedure for each Pod that needs access to AWS services.

• Using a supported AWS SDK – Confirm that the workload uses an AWS SDK of a supported version and that the workload uses the default credential chain.

EKS Pod Identity Restrictions

EKS Pod Identities are available on the following:

• Amazon EKS cluster versions listed below
• Worker nodes in the cluster that are Linux Amazon EC2 instances.

EKS Pod Identities aren't available on the following:

• China Regions.
• AWS GovCloud (US).
• AWS Outposts.
• Amazon EKS Anywhere.
• Kubernetes clusters that you create and run on Amazon EC2. The EKS Pod Identity components are only available on Amazon EKS.

You can't use EKS Pod Identities with:

• Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on AWS Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported.

• Amazon EKS add-ons that need IAM credentials. The EKS add-ons can only use IAM roles for service accounts instead. The list of EKS add-ons that use IAM credentials include:

  • Amazon VPC CNI plugin for Kubernetes
  • AWS Load Balancer Controller
  • The CSI storage drivers: EBS CSI, EFS CSI, Amazon FSx for Lustre CSI driver, Amazon FSx for NetApp ONTAP CSI driver, Amazon FSx for OpenZFS CSI driver, Amazon File Cache CSI driver

Note

If these controllers, drivers, and plugins are installed as self-managed add-ons instead of EKS add-ons, they support EKS Pod Identities as long as they are updated to use the latest AWS SDKs.

References
https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-eks-pod-identity/
https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/
https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/