CODEWITHSUNDEEP
kubernetesamazon-s3amazon-iamamazon-eksazure-aks
RyanDotnet
RyanDotnet

Reputation: 144

How to access an AWS s3 bucket from an AKS cluster

I have some pods running in an AKS cluster which are trying to access AWS s3 buckets (using azure blobs are not an option because of the current architecture). I have read about IAM roles for Kubernetes Service Accounts but it mentions about EKS clsuters. Is there any way out here, can we create a service account in AKS with the IAM role to access a s3 bucket in AWS (probably in a different location)

Upvotes: 0

Views: 2151

Answers (3)

Richard P
Richard P

Reputation: 37

I have solved it as follows:

On the AKS cluster, enable OIDC issuer and workload identity. You will obtain a cluster issuer URL in the form of southcentralus.oic.prod-aks.azure.com/something/something/. On Azure, create a Managed Identity and under Settings>Federated Identity configure it with cluster issuer URL obtained in step 1, target namespace and target service account name. You can also set the audience (default is api://AzureADTokenExchange). In AWS, create a new Identity Provider with the following config:

{
    "Url": "southcentralus.oic.prod-aks.azure.com/something/something/",
    "ClientIDList": [
        "api://AzureADTokenExchange" // or whatever you chose in step 3
    ]
}

Then, create the target IAM role (the one you want to assume on the pod) with a trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::MYACCOUNT:oidc-provider/southcentralus.oic.prod-aks.azure.com/something/something/"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "southcentralus.oic.prod-aks.azure.com/something/something/:sub": "system:serviceaccount:AKS_NAMESPACE:AKS_SERVICE_ACCOUNT"
                }
            }
        }
    ]
}

So "Federated" and "StringEquals" contain AKS OIDC issuer URL.

5.On the Kubernetes cluster, create a serviceaccount with the following annotation: azure.workload.identity/client-id: YOUR_MANAGED_IDENTITY_CLIENT_ID.

6.Ensure your pod has the following label: azure.workload.identity/use=true

If everything is set correctly, the mutating webhook will inject a token inside the pod (you can find the path with env | grep azure -i)

AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_CLIENT_ID=xxxxxxxxxxxxxxx
AZURE_TENANT_ID=xxxxxxxxxxxxxxx
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/

Then just install AWS CLI, and run assume-role-with-web-identity using the token in the file of AZURE_FEDERATED_TOKEN_FILE.

Upvotes: 0

Piosipov
Piosipov

Reputation: 83

It's possible to solve w/o involving Cognito. You need to set up following:

  1. AKS OIDC issuer
  2. AWS OIDC provider
  3. Enable workload identity in AKS with Federated Identity

So it works like this: when you create OIDC provider in AWS you put AKS cluster issuer URL there. Then you just create a role that will have trust policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::MYACCOUNT:oidc-provider/southcentralus.oic.prod-aks.azure.com/something/something/"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "southcentralus.oic.prod-aks.azure.com/something/something/:sub": "system:serviceaccount:AKS_NAMESPACE:AKS_SERVICE_ACCOUNT"
                }
            }
        }
    ]
}

So "Federated" and "StringEquals" contain AKS OIDC issuer URL.

To test this:

If your workload-identity annotation for POD works fine - mutating webhook will inject a token inside the pod (you can find the path with "env | grep azure -i")

AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_CLIENT_ID=xxxxxxxxxxxxxxx
AZURE_TENANT_ID=xxxxxxxxxxxxxxx
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/

Then just install AWS CLI, and run assume-role-with-web-identity using the token in the file of AZURE_FEDERATED_TOKEN_FILE.

Upvotes: 2

Philip Welz
Philip Welz

Reputation: 2807

Sounds Workload identity with identity federation could be a fit for your scenario.

The idea would be to enable the OIDC feature flag on your AKS and then create a federated identity trust between an AKS Kubernetes service account and AWS.

Maybe this and this articles will guide you.

Upvotes: 0

Related Questions