- Amazon
- AWS
- IAM
- Kubernetes
- Zero-trust
- IBAC
Otterize launches open-source, declarative IAM permissions for workloads on AWS EKS clusters
Simplify your AWS IAM role and policy management for Kubernetes ServiceAccounts with the open-source intents-operator and credentials-operator, leveraging the power of IBAC (intents-based access control) to streamline the process and eliminate the tedious manual steps.
Written By
Ori ShoshanPublished Date
Nov 28 2023Read Time
2 minutes
In this Article
Know that pesky workflow of creating AWS IAM roles and policies, and binding them to Kubernetes ServiceAccounts, just for your pods to be able to access resources on AWS?
Using AWS IRSA, supported on EKS since version 1.14, it is possible to bind service accounts to AWS IAM roles. But that leaves a lot to be desired: managing these resources and their lifecycle, outside of Kubernetes can be a pain.
Youâve gotta create an AWS role, establish a trust relationship with a Kubernetes ServiceAccount through an OIDC provider, grab the roleâs ARN and annotate the ServiceAccount, then finally create an IAM policy. Need to have multiple deployments, versions, upgrades, rollbacks? Better get to work.
No more! The open-source intents-operator and credentials-operator enable you to achieve the same, except without all that work: do it all from Kubernetes, declaratively, and just-in-time, through the magic of IBAC (intent-based access control).
How does it work?
Step 1: Label a pod, requesting an AWS IAM role to be created and bound to the ServiceAccount.
Label a pod with this label:
"credentials-operator.otterize.com/create-aws-role": "true"
This creates a matching IAM role, for this specific workload in this namespace in this cluster, that is not shared with other workloads, with the trust relationship set up for your clusterâs OIDC provider.
Step 2: Declare your workloadâs ClientIntents, specifying desired permissions.
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: workload
spec:
service:
name: workload
calls:
- name: arn:aws:s3:::otterize-tutorial-bucket-*/*
type: aws
awsActions:
- 's3:PutObject'
This creates an IAM policy and associates it with the previously created role.
Step 3: Done! Your workload can access AWS resources. AWS will be kept in sync with the cluster state, as you update your Pods and ClientIntents.
Wanna try it out for real? Check out the AWS IAM tutorial.
Wondering what are ClientIntents? Read more about IBAC, intents-based access control.
Can I also map my clusterâs traffic and AWS API calls?
Yep! When you deploy Otterize, you get a map of your clusterâs traffic, with zero-configuration, through the open-source network-mapper.
Coming soon: capture AWS API calls for pods in your cluster, automatically generating the required least-privilege permissions, or ClientIntents, for each workload. Zero-friction in development, zero-trust in production. Itâs coming.
In this Article
Like this article?
Sign up for newsletter updates
- Kubernetes
Scheduler vs. API Proxy: Balancing Kubernetes data-plane and control-plane for optimal Zero-Trust IAM security with Otterize
Discover how to automate zero-trust IAM security for EKS applications and AWS resources using AWS Controllers for Kubernetes (ACK) and Otterize.
- Kubernetes
First Person Platform Episode 2 - Andrew Moore on Uber Workload Identity and Authorization
The second episode of First Person Platform, a podcast: platform engineers nerd out with Ori Shoshan on access controls, Kubernetes, and platform engineering.
- Network Policy
Network policies are not the right abstraction (for developers)
We explore the limitations of relying solely on Kubernetes network policies as a solution for achieving zero-trust between pods, identifying multiple flaws that hinder their effectiveness in meeting the demands of real-world use cases, particularly when prioritizing developer experience in a Kubernetes-based platform.