All Posts
2024-09-25Hünkar Döner

IAM Role Configuration for EKS and RBAC Comparison

AWSEKSIAMRBACSecurity
I

IAM Role Configuration for EKS and RBAC

One of the most confusing parts of Amazon EKS security is how Authentication and Authorization mechanisms work. This is because EKS sits at the intersection of two different worlds: AWS IAM and Kubernetes RBAC.

In this article, we will examine how these two systems work in an integrated manner and how to establish a secure access architecture.

AWS IAM vs Kubernetes RBAC: What is the Difference?

  • AWS IAM (Identity and Access Management): Answers the question "WHO". (Authentication). Verifies who the user or service logging into your AWS account is.
  • Kubernetes RBAC (Role-Based Access Control): Answers the question "WHAT CAN THEY DO". (Authorization). Determines which pods the user entering the cluster can see or delete.

The process in EKS works as follows:

  1. The user runs a kubectl command.
  2. AWS IAM verifies the user's identity and issues a token.
  3. EKS takes this identity and checks RBAC rules to see "Can this user list pods?".

How to Configure EKS Access Management?

1. Cluster Access

Previously, you had to manually edit a ConfigMap file named aws-auth. This was very prone to error. Now, with the EKS Access Entries API, you can define IAM users or roles directly to the cluster from the EKS console or via Terraform.

Example Scenario:

  • Admin Role: Full access. Mapped to the cluster-admin RBAC group.
  • Developer Role: Can only see their own namespace. Mapped to edit or a custom RBAC role.
  • Viewer Role: Read-only. Mapped to the view role.

2. Pod AWS Access (IRSA)

If your pods need to read files from S3 or write to DynamoDB, never assign an IAM role to Nodes (EC2)! Use IAM Roles for Service Accounts (IRSA) instead.

How IRSA Works?

  1. Create an IAM Role in AWS (e.g., S3ReadOnly).
  2. Create a Service Account in Kubernetes and add this role's ARN with the eks.amazonaws.com/role-arn annotation.
  3. Launch your Pod with this Service Account.
  4. The Pod securely accesses S3 with temporary credentials (STS) using the AWS SDK.

This method is the basis of the "Least Privilege" principle and is applied as standard in our AWS Consultancy projects.

Summary

For EKS security, you must think of IAM and RBAC as a whole. Using IAM for authentication, RBAC for in-cluster authorization, and IRSA for pod authorization is the correct strategy.