AWS STS: IAM roles for ServiceAccounts on AWS ROSA

OpenShift IRSA STS ROSA

2 min read | by Jordi Prats

AWS ROSA it is integrated with the AWS STS that will allow us to setup IRSA just as we would do on an EKS cluster.

To create the policy we want to push to AWS we'll have to create a CredentialsRequest with the staments we want. For example, the following object allows read/write access to the test-pet2cattle-s3 bucket and listing other buckets:

apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata:  name: demo-aws-s3  namespace: openshift-cloud-credential-operator spec:  providerSpec:  apiVersion: cloudcredential.openshift.io/v1  kind: AWSProviderSpec  statementEntries:  - action:  - s3:Get*  - s3:List*  - s3:PutObject*  - s3:DeleteObject*  effect: Allow  resource: arn:aws:s3:::test-pet2cattle-s3/*  - action:  - s3:Get*  - s3:List*  - s3:PutObject*  - s3:DeleteObject*  effect: Allow  resource: arn:aws:s3:::test-pet2cattle-s3  - action:  - s3:ListAllMyBuckets  effect: Allow  resource: 'arn:aws:s3:::*'  secretRef:  name: demo-s3-cloud-credentials  namespace: test  serviceAccountNames:  - demo

To create the IAM role we'll have to use the ccoctl tool. Let's assume we have the previous definition under credreq/req.yaml, with the following command we are going to create the demo-sts-test-demo-s3-cloud-credentials IAM role associated with the demo ServiceAccount:

ccoctl aws create-iam-roles \  --name=demo-sts \  --region=eu-central-1 \  --credentials-requests-dir=credreq \  --identity-provider-arn=arn:aws:iam::123456789876:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/cdefb6lj4p4k1a01i561h9rb221cv53

We can guess the IAM role based on the CredentialsRequest data but we'll get it's ARN from ccoctl's output:

$ ccoctl aws create-iam-roles --name=demo-sts --region=eu-central-1 --credentials-requests-dir=credreq --identity-provider-arn=arn:aws:iam::123456789876:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/cdefb6lj4p4k1a01i561h9rb221cv53 2022/10/15 09:33:21 Role arn:aws:iam::123456789876:role/demo-sts-test-demo-s3-cloud-credentials created 2022/10/15 09:33:21 Updated Role policy for Role demo-sts-test-demo-s3-cloud-credentials

At this point we just need to annotate the ServiceAccount with the eks.amazonaws.com/role-arn annotation as we would do with any other IRSA enabled ServiceAccount:

apiVersion: v1 kind: ServiceAccount metadata:  annotations:  eks.amazonaws.com/role-arn: arn:aws:iam::123456789876:role/demo-sts-test-demo-s3-cloud-credentials

We can finally test it using a pod with awscli:

apiVersion: v1 kind: Pod metadata:  annotations:  name: demo-sts spec:  serviceAccount: demo  containers:  - image: amazon/aws-cli  command: ["/bin/sleep"]  args: ["infinity"]  name: demo-sts

Where we can try to list S3 buckets as follows:

$ kubectl exec -it demo-sts -- sh sh-4.2# aws s3 ls 2022-10-15 06:54:28 test-pet2cattle-s3

Posted on 25/10/2022

Categories