Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A closer look at new ways to manage access - EK...

A closer look at new ways to manage access - EKS Pod Identiy and S3 Access Grant

Ben Bridts

January 23, 2024
Tweet

More Decks by Ben Bridts

Other Decks in Technology

Transcript

  1. A closer look at new ways to manage access EKS

    Pod Identity and S3 Access Grant
  2. IAM Roles for Service Accounts (IRSA) Role OIDC Provider EKS

    Cluster OIDC Provider IAM Temporary security credential OIDC token
  3. IRSA: Configuration EKS Cluster Role OIDC Provider EKS Cluster OIDC

    Provider Role Role { "Effect": "Allow", "Principal": { "Federated": "$oidc_provider_arn" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oicd_provider_id:sub": "system:serviceaccount:$namespace:$service_account", "$oicd_provider_id:aud": "sts.amazonaws.com" } } }
  4. IRSA: Configuration EKS Cluster Role OIDC Provider EKS Cluster OIDC

    Provider Role Role { "Effect": "Allow", "Principal": { "Federated": "$oidc_provider_arn" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oicd_provider_id:sub": "system:serviceaccount:$namespace:$service_account", "$oicd_provider_id:aud": "sts.amazonaws.com" } } }
  5. IRSA: Configuration EKS Cluster Role OIDC Provider EKS Cluster OIDC

    Provider Role Role ~$ kubectl describe serviceaccount $service_account –n $namespace Name: $service_account Namespace: $namespace Annotations: eks.amazonaws.com/role-arn: $role_arn
  6. IRSA: Configuration EKS Cluster Role OIDC Provider EKS Cluster OIDC

    Provider Role Role ~$ kubectl describe serviceaccount $service_account –n $namespace Name: $service_account Namespace: $namespace Annotations: eks.amazonaws.com/role-arn: $role_arn
  7. IRSA: Configuration EKS Cluster Role OIDC Provider EKS Cluster OIDC

    Provider Role Role { "Effect": "Allow", "Principal": { "Federated": "$oidc_provider_arn" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oicd_provider_id:sub": "system:serviceaccount:$namespace:$service_account", "$oicd_provider_id:aud": "sts.amazonaws.com" } } } ~$ kubectl describe serviceaccount $service_account –n $namespace Name: $service_account Namespace: $namespace Annotations: eks.amazonaws.com/role-arn: $role_arn
  8. IAM Roles for Service Accounts (IRSA) • Roles are hard

    to reuse • Trust policy tied to OIDC Provider and Cluster • Limited trust policy size (~ 4-8 trust relationships) • No ABAC (session tags) to identify Cluster, Namespace, Pod • OIDC setup is complex • Might be managed by a different team • Works everywhere • EKS, EKS Anywhere, OpenShift, self-managed
  9. EKS Pod Identities Role EKS Cluster IAM Temporary security credential

    Node Role EKS Auth Pod Identity Temporary security credential Service Account token
  10. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth { "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] }
  11. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth { "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] }
  12. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth ~$ kubectl describe serviceaccount $service_account –n $namespace Name: $service_account Namespace: $namespace
  13. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth ~$ kubectl describe serviceaccount $service_account –n $namespace Name: $service_account Namespace: $namespace
  14. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth ~$ aws eks create-pod-identity-association \ --cluster-name $cluster \ --role-arn $role_arn \ --namespace $namespace \ --service-account $service_account
  15. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth ~$ aws eks create-pod-identity-association \ --cluster-name $cluster \ --role-arn $role_arn \ --namespace $namespace \ --service-account $service_account
  16. EKS Pod Identities: Configuration EKS Cluster Role EKS Cluster Role

    Role EKS Auth { "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ~$ kubectl describe serviceaccount $service_account –n $namespace Name: $service_account Namespace: $namespace ~$ aws eks create-pod-identity-association \ --cluster-name $cluster \ --role-arn $role_arn \ --namespace $namespace \ --service-account $service_account
  17. EKS Pod Identities • Roles mappings are centrally configured •

    Roles can be reused between Service Accounts and Clusters • Policies can be written with ABAC (session tags) with variables for Cluster, Namespace, and Pod • Using IAM controls (iam:passRole and eks:*) • EKS Pod Identity Agent is required • Not supported with Fargate • Only on Linux on EC2 • Only within EKS, not cross-account • Cannot be used for EKS (managed) add-ons
  18. S3 Access Grants: Use Cases • Large Number of datasets

    or grantees • IAM Policy or S3 Bucket Policy limitations • Users/Groups instead of Intermediate Roles • Complex mappings and/or group memberships
  19. S3 Access Grants Users Users Users Users Users AWS IAM

    Identity Center IdP IAM User or Role Grant Location Temporary security credential S3 Access Grant Instance Bucket Amazon S3 Bucket Bucket Bucket Bucket
  20. S3 Access Grant Temporary security credential S3 Access Grant Instance

    Location Grant Grant Scope: s3:// Role: … Type: IAM Identifier: … Scope: s3://$bucket/$prefix/* Permission: READWRITE Type: IAM Identifier: … Scope: s3://$bucket/$prefix/* Permission: READWRITE Role Bucket Amazon S3 Bucket Bucket Bucket Bucket User Temporary security credential Permissions
  21. S3 Acces Grants: Role Policies { "Effect": "Allow", "Principal": {

    "Service": "access-grants.s3.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity", "sts:SetContext" ] } { "Effect":"Allow", "Resource": "arn:aws:s3:::*", "Condition":{ "StringEquals": { "aws:ResourceAccount": "$account_id” }, "ArnEquals": { "s3:AccessGrantsInstanceArn": "$instance_arn" } } } Trust Policy Identity / Role Policy
  22. Using S3 Access Grants ~$ aws s3control get-data-access \ --account-id

    $account_id \ --target s3://$bucket/$prefix/* \ --permission READ { "Credentials": { "AccessKeyId": "ASIACKCEVSQ6C2EXAMPLE", "SecretAccessKey": "...", "SessionToken": "...", "Expiration": "2023-11-07T17:34:37+00:00” }, "MatchedGrantTarget": "s3://$bucket/*” }
  23. Trusted Identity Propagation AWS IAM Identity Center IdP S3 Access

    Grant Instance Generic application Token Token Token Temporary security credential Amazon Athena User Identities
  24. S3 Access Grants • Advantages: • Think about users and

    groups • Propagates Source Identity to CloudTrail • Limited amount of Roles, easier policies • Disadvantages: • API call to request access • Different model than IAM policies (less convenient for applications) • Initial setup with IdPs can be complex • Extra request cost ($ 0,03 per 1000 requests)