EKS Pod Identity
Definition
EKS Pod Identity refers to the mechanism by which Kubernetes pods running on Amazon Elastic Kubernetes Service (EKS) can securely assume AWS Identity and Access Management (IAM) roles. This allows pods to access AWS resources without needing to manage AWS credentials directly within the pods. By using IAM roles for service accounts (IRSA), EKS can assign specific permissions to pods, enhancing security by adhering to the principle of least privilege.
Secure Settings Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app-service-account
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<iam-role-name>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: my-app-service-account
containers:
- name: my-app-container
image: my-app-image:latest
Insecure Settings Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app-service-account
# Missing IAM role annotation, leading to potential use of default credentials
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: my-app-service-account
containers:
- name: my-app-container
image: my-app-image:latest
env:
- name: AWS_ACCESS_KEY_ID
value: "AKIAIOSFODNN7EXAMPLE" # Hardcoded credentials
- name: AWS_SECRET_ACCESS_KEY
value: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"