Import a ServiceAccount token into kubeconfig

2 min read

To locally run some process we might need to use some ServiceAccount credentials to make sure it has the same exact permissions it would have running it as a Pod. To do se we can import the ServiceAccount token into our kubeconfig to be able to impersonate it.

29/05/2023

Generate ServiceAccount Secrets

1 min read

Starting Kubernetes 1.24, Secrets are not automatically generated when Service Accounts are created. Since we won't have a Secret generated when we create the ServiceAccount, how can we create ServiceAccount Secrets so that External Applications can access the Kubernetes API?

17/04/2023

IRSA: How to create an IAM role for a specific ServiceAccount

2 min read

On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa" } } } ] } 

Let's take a look on how to create this role using Terraform

24/11/2021