Before you configure the cluster and run the operator, you need to decide on the EKS namespace and the EKS service account on which you want to apply the policy and run the secret rotator operator.
Run the following command to export the names of namespace and service account for use in the procedure.
export NAMESPACE=<namespace where the passwordless access is to be configured> export SERVICE_ACCOUNT_NAME=<service account where the passwordless access is to be configured>
Run the following command to get the details of the OIDC provider in the EKS cluster
oidc_provider=$(aws eks describe-cluster --name <EKS cluster name> --region <EKS region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
Run the following command to get the details of the account ID in the EKS cluster
account_id=$(aws sts get-caller-identity --query "Account" --output text)
Create the
trust-relationship.json
file with the following contents.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<account id>:oidc-provider/<OIDC provider>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<OIDC provider>:aud": "sts.amazonaws.com", "<OIDC provider>:sub": "system:serviceaccount:<namespace>:<service account>" } } } ] }
You must enter the actual values of
account id
,OIDC provider
, andservice account
in the JSON file and not variable names.Run the following command to create the IAM role.
aws iam create-role --role-name <IAM role name> --assume-role-policy-document file://trust-relationship.json --description "my-role-description" --max-session-duration <token expiration in seconds>
The maximum value that you can set for
max-session-duration
is 14400 (12 hours).Create a policy JSON file that allows only GET Caller Identity.
my-policy.json: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:GetCallerIdentity", "Resource": "<ARN of the IAM role>" }, { "Sid": "Statement1", "Effect": "Allow", "Action": ["iam:GetRole"], "Resource": ["<ARN of the IAM role>"] } ] }
Set the resource names with the details of the IAM role -
arn:aws:iam::<your accountnumber>:role/<IAM role name that you created>
.Run the following command to create the AWS policy.
aws iam create-policy --policy-name my-policy --policy-document file://my-policy.json
Run the following command to attach the IAM role to the AWS policy.
aws iam attach-role-policy --role-name <IAM role name> --policy-arn=arn:aws:iam::$account_id:policy/<policy name>
Create OpenID Connect (OIDC) identity providers in AWS.
Enter the value of
$oidc_provider
as the Provider URL.oidc_provider=$(aws eks describe-cluster --name <EKS cluster name> --region <EKS region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
Enter
sts.amazonaws.com
as the Audience.Ensure that you Get Thumbprint when you create the OIDC identity provider.