Panfactum LogoPanfactum
Infrastructure ModulesKuberneteskube_sa_auth_aws

AWS Authentication via Kubernetes Service Account

kube_sa_auth_aws
Stable
Submodule
Source Code Link

Gives a kubernetes service account in an EKS cluster access to an AWS IAM role through IRSA.

This allows our Kubernetes pods to utilize the AWS API without static credentials. The IRSA functionality is included in the latest version of all AWS SDKs so code should be able to pick up the IRSA credentials using the implicit AWS provider-chain resolver (i.e., code changes to utilize these credentials is generally not required).

See the IRSA docs for more information.

Providers

The following providers are needed by this module:

  • aws (5.39.1)

  • kubernetes (2.27.0)

Required Inputs

The following input variables are required:

eks_cluster_name

Description: The name of the EKS cluster that contains the service account.

Type: string

iam_policy_json

Description: An IAM policy document in rendered JSON string form.

Type: string

service_account

Description: The name of the service account that should be able to assume the AWS permissions.

Type: string

service_account_namespace

Description: The namespace of the service account.

Type: string

Optional Inputs

The following input variables are optional (have default values):

annotate_service_account

Description: Whether or not to annotate the service account

Type: bool

Default: true

ip_allow_list

Description: A list of IPs that can use the service account token to authenticate with AWS API

Type: list(string)

Default: []

Outputs

The following outputs are exported:

policy_arn

Description: The ARN of the policy assigned to the role.

role_arn

Description: The ARN of the role created for the service account.

role_name

Description: The name of the role created for the service account.

service_account_annotations

Description: The annotations to apply to the service account

Usage

IP Whitelisting

By default, this module's IRSA authentication will only work when the service account token is presented from an IP address inside the cluster (this also includes the cluster's public NAT IPs).

This limits the usefulness of tokens that are extracted from the cluster by an attacker.

The underlying discovery mechanism for the whitelist defaults works by searching for resource tags assigned in the aws_vpc and aws_eks modules. If you need additional IPs or don't use those modules, you must manually specify those IPs via the ip_allow_list variable.