Finding IAM role used by a POD

Advertisements

When using EKS (Kubernetes on AWS) a pod might be attached to a IAM role which provides permissions over other AWS services (S3 buckets, EC2 instances, RDS, etc). The IAM role might be attach to the pod by different ways.

  • It could be default Instance profile of the EC2 instance used for the Nodes.
  • Indicating the iam.amazonaws.com/role: <my-role-name> annotation when creating the pod/deployment. Where <my-role-name> refers to an existing IAM role in AWS with AssumeRole trust relationship to the EKS cluster.
  • Creating a service account able to assume that role, and using that service account on the pod. The service account is a iamserviceaccount specific for AWS and created through eksctl

Whatever is the method our pod gets a IAM role, when the pod is running we might need to validate or verify which is the IAM role available, or otherwise switch to the desired IAM role. Finding the IAM role available in the pod is as easy as running the following command.

Advertisements
kubectl exec -it myapp-podid -- sh
$ curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/

First we are executing a sh session on the pod. Once in the sh session into the pod, using curl it queries the metadata endpoint. The response will help us to identify the IAM role used by the pod.

my-role-name    #if attached by the iam.amazonaws.com/role annotation
or
my-role-nameroot@myapp-podid   #if attached by a EC2 default instance profile

With that we can identify the pod is using the IAM role my-role

References

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *