Skip to main content

EKS Iam Role

This document shows you how to configure IAM Role on Zeet Projects. IAM Role allows apps deployed in AWS to use IAM Role to access AWS services without explicit credentials.

Step 1. Create an IAM role in AWS with the desired permissions

You can create an IAM Role using CLI commands below or any preferred method.

aws iam create-role --role-name example

Step 2.1 Find the Zeet IAM Role info

The advanced settings page on Zeet will show the Kubernetes service account namespace and name.

Step 2.2 Find the EKS OIDC Provider

Nagivate to AWS Console

https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/identity_providers

Find the ARN for the OIDC provider belongs to your EKS Cluster.

Step 3. Grant Zeet Project the permission to assume the AWS IAM Role

Now we use the information above and add the following assume role trust policy to the previously mentioned AWS iam role.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/OIDC_PROVIDER"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:SERVICE_ACCOUNT"
}
}
}
]
}
info

Example: For AWS OIDC Provider arn:aws:iam::123456:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/1234567 and namespace 8da2d9e2-06a6-46f2-9668-75d539e37fa1 and service account name app-12345, the correct iam policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/1234567"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-1.amazonaws.com/id/1234567:sub": "system:serviceaccount:8da2d9e2-06a6-46f2-9668-75d539e37fa1:app-12345"
}
}
}
]
}

Step 4. Add the AWS IAM Role to Zeet

Simply add the role ARN arn:aws:iam::123456:role/myrole-name to the input and save.

Now your Zeet app will be automatically authenticated with the AWS IAM Role.