k8s Authentication

with IAM>

with IAM #

OIDC>

OIDC built in at the eks cluster

To assume a role in EKS>

Difference between assume-role and assume-role-with-web-identity>

hugotse can use aws sts assume-role to assume S3Admin
kevintse can use aws sts assume-role-with-web-identity with web-identity to assume S3Admin

How a pod to access aws service>

EKS has some webhooks, it will monitor our changes on cluster

You can create a custom admission webhooks, deny / modify specfic requests of api servers

When the admission webhook detects a service account associated to a pod and that account annotate with iam arn, it will

admission webhook -> send OICD token to AWS IAM
AWS IAM -> verify the OICD token and return web identity token to the webhook
admission webhook save the web identity token and mount it as a volume in the pod
Application -> use the web identity token with aws sts assume-role-with-web-identity to access AWS Service

Where does the OICD token come from?>

with Service Account Token Volume Projection, any pod attached with a service account will automatically mount with a OICD token

Ways to assume role>

if you are an iam user, use access key
if you are in aws services (like ec2 instance), attach iam role
or with oidc, use web identity token
- oidc user get web identity token from aws iam with oidc token
- oidc user use the token to assume role

Permission needs to assume role>

by a iam user>

by a oicd user>

oidc user kevintse have right to use assume-role-with-web-identity
a role has a trusted relationship with oicd user kevintse to assume role with web identity