K
Q

How to inject AWS account number into k8s ServiceAccount?

9/18/2019

Few weeks ago AWS announced "Fine-Grained IAM Roles for Service Accounts" for EKS. It seems neat and now we'd love to make it work for our current deployments with Helm. Applications are packaged in Helm charts, where all necessary resources for that service are defined. Application charts have no clue, by design, about where they run, either namespace or environment or even AWS account. This makes charts very portable, installable in any namespace / cluster easily. We store our secrets in Vault and at runtime the pod finds out environment specific info with:

- name: VAULT_AUTHBACKEND
  valueFrom:
    secretKeyRef:
      name: vaultinfo
      key: cluster

vaultinfo comes from another chart, that is setup when new namespace is setup.

Now for EKS to use IAM roles per pod I need to inject role ARN as value for 'eks.amazonaws.com/role-arn' annotation of a ServiceAccount. This is my problem. Name of role is not an issue, as can be figured out through naming convention. Role AWS account however cannot be, and valueFrom only appears to be valid for Pod Spec.

Any ideas how to get AWS account into serviceaccount resource? Serviceaccount resource must be owned by Helm chart and not modified by something else after installation.

-- user3421490
amazon-web-services
aws-eks
kubernetes
kubernetes-helm

Similar Questions

Error in implementing WebSocket in Kubernetes
Which CNI is best for running the .net core application with external sql server in kubernate deployment?
Escaping space character in yaml sequence of strings in helm
Specify to Kubernetes when a Pod is "busy"
Why does my deployment terminate pods on deployment?
How to switch k8s object from one namespace to another one?
Ingress affinity session max age

0 Answers