When using EKS (Kubernetes on AWS) a pod might be attached to a IAM role which provides permissions over other AWS services (S3 buckets, EC2 instances, RDS, etc). The IAM role might be attach to the pod by different ways.
- It could be default Instance profile of the EC2 instance used for the Nodes.
- Indicating the
iam.amazonaws.com/role: <my-role-name>annotation when creating the pod/deployment. Where
<my-role-name>refers to an existing IAM role in AWS with AssumeRole trust relationship to the EKS cluster.
- Creating a service account able to assume that role, and using that service account on the pod. The service account is a
iamserviceaccountspecific for AWS and created through
Whatever is the method our pod gets a IAM role, when the pod is running we might need to validate or verify which is the IAM role available, or otherwise switch to the desired IAM role. Finding the IAM role available in the pod is as easy as running the following command.
kubectl exec -it myapp-podid -- sh $ curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/
First we are executing a
sh session on the pod. Once in the
sh session into the pod, using
curl it queries the metadata endpoint. The response will help us to identify the IAM role used by the pod.
my-role-name #if attached by the iam.amazonaws.com/role annotation or my-role-nameroot@myapp-podid #if attached by a EC2 default instance profile
With that we can identify the pod is using the IAM role