EKS Pod Identity is now GA, a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. EKS Pod Identity has the following enhancements:
As a result, IAM roles no longer need to reference an OIDC provider
The aim of this solution is to allow:
Least privilege - eliminates the need for third-party solutions.
Credential isolation - A pod's containers can only retrieve credentials for the IAM role associated with the service account used by the container.
Audibility - Access and event logging is available through AWS CloudTrail.
idea
AWS EKS reference architecture should leverage EKS Pod Identity, providing a simpler method than alternative solutions like IAM roles for service accounts.
Implementation
The removal of OIDC on provisioning of the cluster
eksctl create addon --cluster my-cluster --name eks-pod-identity-agent
With the release of
iam:
withOIDC: true
The implementation of EKS Pod Identities via addon or directly via eksctl or Terraform.
Introduction
EKS Pod Identity is now GA, a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. EKS Pod Identity has the following enhancements:
As a result, IAM roles no longer need to reference an OIDC provider
The aim of this solution is to allow:
idea
AWS EKS reference architecture should leverage EKS Pod Identity, providing a simpler method than alternative solutions like IAM roles for service accounts.
Implementation
The removal of OIDC on provisioning of the cluster
eksctl create addon --cluster my-cluster --name eks-pod-identity-agent With the release of
The implementation of EKS Pod Identities via addon or directly via eksctl or Terraform.
Provide Service accounts appropriate Roles with annotations