Running kiam server securely

2/11/2019

Can anyone explain an example of using kiam on kubernetes to manage service-level access control to aws resources?

According to the docs:

The server is the only process that needs to call sts:AssumeRole and can be placed on an isolated set of EC2 instances that don't run other user workloads.

I would like to know to run the server part of it away from nodes that host your services.

-- ruud
amazon-iam
aws-eks
kiam
kubernetes

1 Answer

9/20/2019

Answer: KIAM architecture is well explained here: https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam

Basically you want to use Master Nodes in your cluster with IAM::STS permissions on them to install the Server portion of kiam and then let your worker nodes connect to master nodes to retrieve credentials.

DISCLAIMER: I did some digging on k2iam and kiam without going all the way through to taking them to a test bench and wasn't happy with what I found out. It turns out we don't need them anymore starting with K8s 1.13 in EKS, that is as of september 4th as native support from AWS has been added for PODS to access IAM STS.

https://docs.aws.amazon.com/en_pv/eks/latest/userguide/iam-roles-for-service-accounts.html

-- einarc
Source: StackOverflow