This repository contains resources and documentation for enabling cross-account access from an Amazon Elastic Kubernetes Service (EKS) cluster to an Amazon S3 bucket in a different AWS account.
When you have an EKS cluster running in one AWS account and an S3 bucket residing in another AWS account, you may need to grant the EKS cluster access to the S3 bucket. This repository provides guidance and resources to set up cross-account access from the EKS cluster to the S3 bucket securely.
Before proceeding, ensure you have the following:
- An Amazon EKS cluster set up in one AWS account.
- An Amazon S3 bucket set up in a different AWS account.
- AWS IAM permissions to create IAM roles and policies in both AWS accounts.
- Kubernetes cluster access and the necessary permissions to create service accounts and roles.
To enable cross-account access from your EKS cluster to the S3 bucket, follow these steps:
- Fetch the CI account cluster’s OIDC issuer URL
aws eks describe-cluster —name development-cluster --query "cluster.identity.oidc.issuer" --output text
- Create an OIDC provider for the cluster in the CI account Navigate to the IAM console in the CI account, choose Identity Providers, and then select Create provider. Select OpenID Connect for provider type and paste the OIDC issuer URL for your cluster for provider URL. Enter
- Configuring the CI account – IAM role and policy permissions
Create an IAM role in the CI account, ci-account-iam-role, with a trust relationship to the cluster’s OIDC provider and specify the service-account, namespace to restrict the access. In this case, I am specifying ci-namespace and ci-serviceaccount for namespace and serviceaccount respectively. Replace the OIDC_PROVIDER with the provider URL saved in the previous step.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::CI_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<OIDC_PROVIDER>:sub": "system:serviceaccount:ci-namespace:ci-serviceaccount" } } } ] }
attached follow S3 policy to access the other account S3 bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BucketName"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BucketName/*"
]
}
]
}
For detailed instructions and example configurations, refer to the instructions document. In Kubernetes, you define the IAM role to associate with a service account in your cluster by adding the eks.amazonaws.com/role-arn annotation to the service account. In other words, annotate your service account associated with the cluster in the CI account with the role ARN as shown below.
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-serviceaccount
namespace: ci-namespace
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::CI_ACCOUNT_ID:role/ci-account-iam-role
- Target AWS Account S3 bucket Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::CI_ACCOUNT_ID:role/ci-account-iam-role" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::BucketName", "arn:aws:s3:::BucketName/*" ] } ] }
Contributions to this repository are welcome! If you have any suggestions, improvements, or additional examples, feel free to open an issue or pull request.
This project is licensed under the MIT License.