How it works Prerequisites Install Pod Identity Agent Pod Identity setup Troubleshoot

Use Amazon Secrets and Configuration Provider CSI with Pod Identity for Amazon EKS

The Amazon Secrets and Configuration Provider integration with the Pod Identity Agent for Amazon Elastic Kubernetes Service provides enhanced security, simplified configuration, and improved performance for applications running on Amazon EKS. Pod Identity simplifies Amazon Identity and Access Management (IAM) authentication for Amazon EKS when retrieving parameters from Amazon Systems Manager Parameter Store or secrets from Secrets Manager.

Amazon EKS Pod Identity streamlines the process of configuring IAM permissions for Kubernetes applications by allowing permissions to be set up directly through Amazon EKS interfaces, reducing the number of steps and eliminating the need to switch between Amazon EKS and IAM services. Pod Identity enables the use of a single IAM role across multiple clusters without updating trust policies and supports role session tags for more granular access control. This approach not only simplifies policy management by allowing reuse of permission policies across roles but also enhances security by enabling access to Amazon resources based on matching tags.

How it works

Pod Identity assigns an IAM role to the Pod.
ASCP uses this role to authenticate with Amazon Web Services services.
If authorized, ASCP retrieves the requested parameters and makes them available to the Pod.

For more information, see Understand how Amazon EKS Pod Identity works in the Amazon EKS User Guide.

Prerequisites

Important

Pod Identity is supported only for Amazon EKS in the cloud. It is not supported for Amazon EKS Anywhere, Red Hat OpenShift Service on Amazon, or self-managed Kubernetes clusters on Amazon EC2 instances.

Amazon EKS cluster (version 1.24 or later)
Access to Amazon CLI and Amazon EKS cluster via kubectl
(Optional) Access to two Amazon Web Services accounts for cross-account access

Install the Amazon EKS Pod Identity Agent

To use Pod Identity with your cluster, you must install the Amazon EKS Pod Identity Agent add-on.

To install the Pod Identity Agent

Install the Pod Identity Agent add-on on your cluster.

Replace the default placeholder textwith your own values:
```
eksctl create addon \
  --name eks-pod-identity-agent \
  --cluster clusterName \
  --region region 
```

Set up ASCP with Pod Identity

Create a permissions policy that grants ssm:GetParameters and ssm:DescribeParameters permission to the parameters that the Pod needs to access.

Create an IAM role that can be assumed by the Amazon EKS service principal for Pod Identity:


{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "pods.eks.amazonaws.com"
        },
        "Action": [
          "sts:AssumeRole",
          "sts:TagSession"
        ]
      }
    ]
  }

Attach the IAM policy to the role.

Replace the default placeholder textwith your own values:


aws iam attach-role-policy \
  --role-name MY_ROLE \
  --policy-arn POLICY_ARN

Create a Pod Identity association. For an example, see Create a Pod Identity association in the Amazon EKS User Guide
Create the SecretProviderClass that specifies which parameters or secrets to mount in the Pod:
```
kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleSecretProviderClass-PodIdentity.yaml
```
The key difference in SecretProviderClass between IRSA and Pod Identity is the optional parameter usePodIdentity. It is an optional field that determines the authentication approach. When not specified, it defaults to using IAM Roles for Service Accounts (IRSA).
- To use EKS Pod Identity, use any of these values: "true", "True", "TRUE", "t", "T".
- To explicitly use IRSA, set to any of these values: "false", "False", "FALSE", "f", or "F".

Deploy the Pod that mounts the parameters or secrets under /mnt/secrets-store:


kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleDeployment-PodIdentity.yaml

If you use a private Amazon EKS cluster, make sure that the VPC that the cluster is in has an Amazon STS endpoint. For information about creating an endpoint, see Interface VPC endpoints in the Amazon Identity and Access Management User Guide.

Verify the secret mount

To verify that the parameter or secret is mounted properly, run the following command.

Replace the default placeholder text with your own values:


kubectl exec -it $(kubectl get pods | awk '/pod-identity-deployment/{print $1}' | head -1) -- cat /mnt/secrets-store/MyParameter

To set up Amazon EKS Pod Identity to access to parameters in Parameter Store

Create a permissions policy that grants ssm:GetParameters and ssm:DescribeParameters permission to the parameters that the Pod needs to access.
Create a parameter in Parameter Store, if you do not already have one. For information, see Creating Parameter Store parameters in Systems Manager.

Troubleshoot

You can view most errors by describing the Pod deployment.

To see error messages for your container

Get a list of Pod names with the following command. If you aren't using the default namespace, use -n namespace.
```
kubectl get pods
```
To describe the Pod, in the following command, for pod-id use the Pod ID from the Pods you found in the previous step. If you aren't using the default namespace, use -n NAMESPACE.
```
kubectl describe pod/pod-id
```

To see errors for the ASCP

To find more information in the provider logs, in the following command, for PODID use the ID of the csi-secrets-store-provider-aws Pod.
```
kubectl -n kube-system get pods
kubectl -n kube-system logs pod/pod-id
```

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Install ASCP for Amazon EKS

Integrate ASCP with IRSA for Amazon EKS