Skip to main content

Accessing AWS APIs and resources from your namespace

If you’ve created an AWS resource in your namespace and need to access it, you will need to use IAM roles for service accounts (IRSA) and attach the service account to your pod which runs your container image.

This provides your pod with access to the resources, either through the AWS CLI or AWS SDK in your application.

Requirements

To use IAM roles for service accounts, you must use a supported version of the AWS SDK in your application or the AWS CLI.

The minimum supported AWS SDK and CLI versions are:

SDK Minimum version
AWS CLI 1.16.232
Go 1.23.13
Java (version 1) 1.11.704
Java (version 2) 2.10.11
.NET* 3.3.659.1
Node (version 2) 2.525.0
Node (version 3) 3.27.0
PHP 3.110.7
Python (boto3) 1.9.220
Python (botocore) 1.12.200
Ruby 3.58.0

*For .NET, you must also include AWSSDK.SecurityToken.

If your application is using a supported version, you can follow the guide below.

Using IRSA in your namespace

To use IRSA in your namespace, you need to:

  • set up the IRSA module, which creates a service account for you
  • configure the policy ARNs you want to attach to the service account
  • attach the service account to your pods

To do this, complete the following three steps:

  1. Raise and merge a PR that configures cloud-platform-terraform-irsa in your namespace:

    module "irsa" {
      source = "github.com/ministryofjustice/cloud-platform-terraform-irsa?ref=2.0.0"
    
      # EKS configuration
      eks_cluster_name = var.eks_cluster_name
    
      # IRSA configuration
      service_account_name = "example-name"
      namespace            = var.namespace # this is also used as a tag
    
      # Attach the appropriate policies using a key => value map
      # If you're using Cloud Platform provided modules (e.g. SNS, S3), these
      # provide an output called `irsa_policy_arn` that can be used.
      role_policy_arns = {
        ...
        s3  = module.s3.irsa_policy_arn
        dms = module.dms.irsa_policy_arn
        sqs = module.sqs.irsa_policy_arn
        ...
      }
    
      # Tags
      business_unit          = var.business_unit
      application            = var.application
      is_production          = var.is_production
      team_name              = var.team_name
      environment_name       = var.environment
      infrastructure_support = var.infrastructure_support
    }
    

    As soon as this PR is merged, a service account will be created for you to use.

  2. Update your Kubernetes manifest to set the service account in your deployment:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: example
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: example
      template:
        metadata:
          labels:
            app: example
        spec:
          serviceAccountName: example-name # use the service_account_name you set in step 1 here
          containers:
          - name: example
    ...
    
  3. Redeploy your service

    Once you redeploy your service, your pods should have the service account attached.

    You can test this by describing a pod:

    $ kubectl describe pod $pod -n $namespace | grep "AWS_"
    
    AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    AWS_ROLE_ARN:                arn:aws:iam::000000000000:role/cloud-platform-irsa-000000000-live
    

    After you’ve confirmed these environment variables exist, you’re ready to start using IRSA and accessing AWS APIs and resources from the application running in your pod.

    If you’re using an up-to-date version of the AWS SDK, you should not need any further configuration.

    If you use a custom credential provider with the AWS SDK, you should refer to the AWS SDK guides to implement AssumeRoleWithWebIdentity as a credential provider.

This page was last reviewed on 3 September 2024. It needs to be reviewed again on 3 March 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 3 March 2025 by the page owner #cloud-platform. This might mean the content is out of date.