EKS Iam Role
This document shows you how to configure IAM Role on Zeet Resources. IAM Role allows apps deployed in AWS to use IAM Role to access AWS services without explicit credentials.
Step 1. Create an IAM role in AWS with the desired permissions
You can create an IAM Role using CLI commands below or any preferred method.
aws iam create-role --role-name example
Step 2.1 Find the Zeet IAM Role info
The advanced settings page on Zeet will show the Kubernetes service account namespace and name.
Step 2.2 Find the EKS OIDC Provider
Navigate to AWS Console
https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/identity_providers
Find the ARN for the OIDC provider belongs to your EKS Cluster.
Step 3. Grant Zeet Project the permission to assume the AWS IAM Role
Now we use the information above and add the following assume role trust policy to the previously mentioned AWS iam role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/OIDC_PROVIDER"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:SERVICE_ACCOUNT"
}
}
}
]
}
Example: For AWS OIDC Provider arn:aws:iam::123456:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/1234567 and namespace 8da2d9e2-06a6-46f2-9668-75d539e37fa1 and service account name app-12345, the correct iam policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/1234567"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-1.amazonaws.com/id/1234567:sub": "system:serviceaccount:8da2d9e2-06a6-46f2-9668-75d539e37fa1:app-12345"
}
}
}
]
}
Step 4. Add the AWS IAM Role to Zeet
Simply add the role ARN arn:aws:iam::123456:role/my-role-name to the input and save.
Now your Zeet app will be automatically authenticated with the AWS IAM Role.