Allow kubernetes application to access other AWS resources?

8/27/2019

I want to deploy an application in AWS EKS using kubernetes. My application needs to access the SQS and AWS S3. I am not sure how to allow the kubernetes application to access the SQS and S3. I looked into RBAC but I guess RBAC only provides access to manage the cluster, namespace or pods.

I am trying to pass the access key and secret key as the secrets to the environment variable and allow the permission. But I think this is not a good idea.

Is there any other way like creating the IAM role and passing the role to the pods running the application? If I try to provide the permission in the worker node role then all the pods sharing the node will get that permission. I need something like the specific pod or container will get the permission

I also tried to create the RBAC in which a role is assigned to the group and the group is bind to the namespace.

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: default
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxx:role/EksWorkers-NodeInstanceRole-xxxxx
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: arn:aws:iam::xxxxxxxxx:role/iam-role-for-application
      groups:
        - app-group

and

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admins
  namespace: default
subjects:
- kind: Group
  name: app-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
-- programmingtech
amazon-iam
aws-eks
kubernetes

1 Answer

8/27/2019
-- Tummala Dhanvi
Source: StackOverflow