Attach IAM Role to Serviceaccount from a Pod in EKS

Question

I am trying to attach an IAM role to a pod's service account from within the POD in EKS.

kubectl annotate serviceaccount -n $namespace $serviceaccount eks.amazonaws.com/role-arn=$ARN

The current role attached to the $serviceaccountis outlined below:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: common-role
rules:
  - apiGroups: [""]
    resources:
      - event
      - secrets
      - configmaps
      - serviceaccounts
     verbs:
      - get
      - create

However, when I execute the kubectl command I get the following:

error from server (forbidden): serviceaccounts $serviceaccount is forbidden: user "system:servi...." cannot get resource "serviceaccounts" in API group "" ...

Is my role correct? Why can't I modify the service account?

acid_fuji · Accepted Answer

Kubernetes by default will run the pods with service account: default which don`t have the right permissions. Since I cannot determine which one you are using for your pod I can only assume that you are using either default or some other created by you. In both cases the error suggest that the service account your are using to run your pod does not have proper rights.

If you run this pod with service account type default you will have add the appropriate rights to it. Alternative way is to run your pod with another service account created for this purpose. Here`s an example:

apiVersion: v1  
kind: ServiceAccount  
metadata:  
   name: run-kubectl-from-pod

Then you will have to create appropriate role (you can find full list of verbs here):

apiVersion: rbac.authorization.k8s.io/v1  
kind: Role  
metadata:  
  name: modify-service-accounts
rules:  
  - apiGroups: [""]  
    resources:  
      - serviceaccounts 
    verbs:  
      - get  
      - create 
      - patch 
      - list

I'm using here more verbs as a test. Get and Patch would be enough for this use case. I`m mentioning this since its best practice to provide as minimum rights as possible.

Then create your role accordingly:

apiVersion: rbac.authorization.k8s.io/v1  
kind: RoleBinding  
metadata:  
name: modify-service-account-bind 
subjects:  
- kind: ServiceAccount  
  name: run-kubectl-from-pod 
roleRef:  
  kind: Role  
  name: modify-service-accounts 
  apiGroup: rbac.authorization.k8s.io

And now you just have reference that service account when your run your pod:

apiVersion: v1  
kind: Pod  
metadata:  
  name: run-kubectl-in-pod 
spec:  
  serviceAccountName: run-kubectl-from-pod  
  containers:  
    - name: kubectl-in-pod  
      image: bitnami/kubectl 
      command: 
      - sleep 
      - "3600"

Once that is done, you just exec into the pod:

➜  kubectl-pod kubectl exec -ti run-kubectl-in-pod sh

And then annotate the service account:

$ kubectl get sa 
NAME                   SECRETS   AGE
default                1         19m
eks-sa                 1         36s
run-kubectl-from-pod   1         17m

$ kubectl annotate serviceaccount eks-sa eks.amazonaws.com/role-arn=$ARN
serviceaccount/eks-sa annotated

$ kubectl describe sa eks-sa 
Name:                eks-sa
Namespace:           default
Labels:              
Annotations:         eks.amazonaws.com/role-arn: 
Image pull secrets:  
Mountable secrets:   eks-sa-token-sldnn
Tokens:              
Events:

If you encounter any issues with request being refused please start with reviewing your request attributes and determine the appropriate request verb.

You can also check your access with kubectl auth can-i command:

kubectl-pod kubectl auth can-i patch serviceaccount

API server will respond with simple yes or no.

Please Note that If you want to patch a service account to use an IAM role you will have delete and re-create any existing pods that are assocaited with the service account to apply credentials environment variables. You can read more about it here.

Attach IAM Role to Serviceaccount from a Pod in EKS

Answers (2)

Related Questions