AWS Workload Identity
add-on can be enabled for your Kubernetes cluster either during the cluster creation process or at any time thereafter. The following sections outline the methods for enabling the add-on:
Add-ons
, find the AWS Workload Identity
add-on in the list of available add-ons, and toggle it on.
AWS Workload Identity
add-on was not enabled during the cluster creation, you can still enable it using either of the following methods:
spec.addOns
in the YAML manifest of the cluster, you can edit it either by navigating to the cluster in the Console and using the Edit & Apply
option for the cluster, or by applying the entire manifest using the cpln apply >_
option in the upper right corner or by using the cpln
CLI.
Add the following:
Kubernetes
in the left sidebar panel and click on the Kubernetes cluster for which you want to enable the dashboard.Add-ons
and locate the AWS Workload Identity
add-on from the list of available add-ons, then toggle it on.oidcProviderUrl
for the OIDC Identity Provider is in the status of the cluster.
View
from the Actions
drop down in the upper right corner.
A new window will open sowing the content of the Managed Kubernetes object in the Control Plane API.
Slim
button so it is turned off.
providerUrl
is shown in the object at .status.addOns.awsWorkloadIdentity.oidcProviderConfig
Access management
, select Identity providers
and then click Add provider
.
OpenID Connect
, paste the Provider URL
obtained in the previous step, and click Get thumbprint
.
Audience
field, enter sts.amazonaws.com
.
eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/IAM-ROLE-HERE"
. This setup is compatible with all Kubernetes Workloads, as they ultimately provision Pods.
Follow these steps below to configure.
example-trust-policy.json
. Then, modify the trust policy by replacing
<SERVICE_ACCOUNT>
and <NAMESPACE>
with the appropriate values:
<NAMESPACE>
, use default
.<SERVICE_ACCOUNT>
, use mk8s-identity-example
.default-trust-policy.json
<ACCOUNT_ID>
with your AWS Account ID in the following YAML configuration:
identity-example
can now access AWS resources using the IAM role arn:aws:iam::<ACCOUNT_ID>:role/mk8s-identity-example
.