Zenn
🔖

EKSでServiceAccountを作ってPodに割り当てるまで

2022/12/14に公開
Kubernetes
EKS
tech

serviceaccountの作成

eksctlで作成

CLUSTER="test-cluster"
SA_NAME="eks-s3
eksctl create iamserviceaccount \
  --name $SA_NAME \
  --cluster $CLUSTER \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \
  --approve

確認

kubectl get sa -n default eks-s3

出力

NAME     SECRETS   AGE
eks-s3   0         33s

kubectl -n default get serviceaccounts eks-s3 -o yaml

Roleが作成される。

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::1111111111:role/eksctl-vamdemic-k8s-dev-eks-cluster-addon-iams-Role1-1K6R29JH112RY
  creationTimestamp: "2022-12-13T16:47:34Z"
  labels:
    app.kubernetes.io/managed-by: eksctl
  name: eks-s3
  namespace: default
  resourceVersion: "27527187"
  uid: 69059592-9c5a-418e-be39-3d66892badbf

確認用Podを作成

apiVersion: v1
kind: Pod
metadata:
  name: awscli
  labels:
    app: awscli
spec:
  serviceAccountName: eks-s3 # 上記で作成したsaを指定する
  containers:
  - image: amazon/aws-cli
    command:
      - "sleep"
      - "604800"
    imagePullPolicy: IfNotPresent
    name: awscli
  restartPolicy: Always

kubectl apply -f test.yaml

s3へアクセスできることを確認

kubectl exec awscli -- aws s3 ls

参考

https://zenn.dev/ohsawa0515/articles/gcp-workload-identity-federation
https://aws.amazon.com/jp/blogs/news/introducing-fine-grained-iam-roles-service-accounts/

Discussion