Question 18237 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

EKS Pod with Multiple IAM Roles – Amazon Web Sevices

Is it possible for a pod to assume multiple IAM roles?
Its definitely possible to dynamically switch the env variable AWS_ROLE_ARN value.
But do we have a straight approach to support multiple at a time?

like,

AWS_ROLE_ARN: test
AWS_ROLE_ARN2: test-2
Tags:

2

Answers


  1. 0

    As you can read in the documentation, IAM roles for pods are working like instance profile for EC2. So you can’t use easily 2 roles at the same time.

    Source : https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

    Login or Signup to reply.
  2. 0

    You can’t assign two Roles to your Pod. However, your Pod can assume different Roles if it needs to change its permissions at run-time.

    For instance:

    1. Create two Roles, ProducerRole and ConsumerRole, with appropriate permissions and the following trust policy:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role:PodRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    2. Create a third Role, PodRole, with the following permission policy:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::<account-id>:role:ProducerRole",
        "arn:aws:iam::<account-id>:role:ConsumerRole"
      ]
    }
  ]
}

      and the following trust policy:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

      Also give this role whatever other basic permissions its needs to be your Pod role.

    3. Configure your EKS Pod to use PodRole.

    4. Inside your EKS Pod, assume either ProducerRole or ConsumerRole, depending on which set of permissions you need at the time.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search