Amazon Elastic Kubernetes Service (EKS) is a powerful managed Kubernetes service that simplifies container management. When working with EKS, securely pulling container images is crucial, and this often involves AWS credentials. However, you can streamline this process by leveraging IAM roles for your Kubernetes pods, eliminating the need to manage AWS credentials directly.
In this guide, we’ll walk you through the steps to set up IAM roles for pods in Amazon EKS, allowing your pods to pull container images without the hassle of AWS credentials.
Prerequisites
Before we begin, make sure you have the following:
- An existing Amazon EKS cluster.
- An Amazon Elastic Container Registry (ECR) repository with the container image you want to use.
Step 1: Create an IAM Role for Service Accounts (IRSA)
Start by creating an IAM role that your pods can assume. This role should grant the necessary permissions to access the ECR repository. Here’s how to create it:
aws iam create-role \
--role-name my-ecr-access-role \
--assume-role-policy-document file://eks-trust-policy.jsonCreate a eks-trust-policy.json file with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"sts:ExternalId": "eks-cluster-id"
}
}
}
]
}Replace "eks-cluster-id" with the actual ID or name of your EKS cluster. This policy allows the EKS service to assume the IAM role with the specified external ID, enhancing security.
Step 2: Associate the IAM Role with a Kubernetes Service Account
Next, you need to associate the IAM role you created with a Kubernetes service account. This step is crucial for binding your IAM role to your Kubernetes pods. Annotate your service account as follows:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app-service-account
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-ecr-access-roleStep 3: Create a Kubernetes Deployment or Pod
Now that your service account is associated with the IAM role, create a Kubernetes deployment or pod that references this service account:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app-deployment
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: my-app-service-account # Reference the service account here
containers:
- name: my-app-container
image: <your-ecr-image-uri>Replace <your-ecr-image-uri> with the URI of the container image in your ECR repository.
Step 4: Pod IAM Roles and Policies
Ensure that your IAM role (my-ecr-access-role) has the necessary permissions to pull images from the ECR repository. Attach policies like AmazonEC2ContainerRegistryReadOnly to grant the required permissions.
Step 5: Deploy the Kubernetes Resources
Apply the Kubernetes YAML files to create the deployment and service account. The pods spawned by the deployment will automatically assume the IAM role associated with the service account.
With these steps completed, your EKS pods can effortlessly pull container images from ECR without managing AWS credentials directly. This approach enhances security and simplifies your Kubernetes cluster management.
In conclusion, leveraging IAM roles for pods in Amazon EKS enhances your container image pulling process, reducing the complexity of managing AWS credentials. This is particularly valuable for security-conscious and streamlined DevOps practices in Kubernetes deployments.
Explore AWS-backed automated image pulling on EKS and empower your containerized applications. Ideal for AWS enthusiasts and DevOps professionals, this guide simplifies complex configurations, ensuring secure image access and enhancing your deployment efficiency. Unleash the full potential of your EKS cluster — seamless, efficient, and secure container management awaits!
Happy deploying on Amazon EKS!




