Pod level access to DynamoDB using IAM on Amazon EKS

$ aws --version
aws-cli/1.16.234 Python/3.7.0 Darwin/17.7.0 botocore/1.12.224
$ eksctl version
[ℹ] version.Info{BuiltAt:"", GitCommit:"", GitTag:"0.5.2"}
$ eksctl create cluster ekscluster-1 --region ap-south-1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:ap-south-1:xxxx:table/MysfitsTable"
}
]
}
$ eksctl utils associate-iam-oidc-provider --name ekscluster-1 --approve --region ap-south-1
$ eksctl create iamserviceaccount \
--name ddb-sa-2 \
--cluster ekscluster-1 \
--attach-policy-arn arn:aws:iam::xxxx:policy/aws-ddb-policy1 \
--approve \
--region ap-south-1
$ kubectl get sa
NAME SECRETS AGE
ddb-sa-2 1 99m
default 1 3d3h
s3-echoer 1 46h
$ kubectl get sa ddb-sa-2 -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxx:role/eksctl-ekscluster-1-addon-iamserviceaccount-Role1-xxx
creationTimestamp: 2019-09-12T08:46:23Z
name: ddb-sa-2
namespace: default
resourceVersion: "372073"
selfLink: /api/v1/namespaces/default/serviceaccounts/ddb-sa-2
uid: xxx-d539-11e9-af15-020f5b903eee
secrets:
- name: ddb-sa-2-token-l952j
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: ddb-sa-2
containers:
- name: mythical
image: cmani/mythical-test:latest
env:
- name: AWS_DEFAULT_REGION
value: "ap-south-1"
- name: ENABLE_IRP
value: "true"
apiVersion: v1
kind: Pod
metadata:
name: my-pod-noaccess
spec:
containers:
- name: mythical
image: cmani/mythical-test:latest
env:
- name: AWS_DEFAULT_REGION
value: "ap-south-1"
- name: ENABLE_IRP
value: "true"
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
my-pod 1/1 Running 0 81m
my-pod-noaccess 1/1 Running 0 81m
$ kubectl exec -it my-pod -- bash$ apt-get update && apt-get install curl unzip -y
$ curl "
https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
$ unzip awscli-bundle.zip
$ ./awscli-bundle/install -b ~/bin/aws
$ kubectl exec -it my-pod -- bash# /root/bin/aws dynamodb describe-table --table-name MysfitsTable --region ap-south-1{
"Table": {
"TableArn": "arn:aws:dynamodb:ap-south-1:xxxx:table/MysfitsTable",
"AttributeDefinitions": [
{
"AttributeName": "GoodEvil",
"AttributeType": "S"
},
{
"AttributeName": "LawChaos",
"AttributeType": "S"
},
{
"AttributeName": "MysfitId",
"AttributeType": "S"
}
],
"GlobalSecondaryIndexes": [
{
"IndexSizeBytes": 9068,
"IndexName": "LawChaosIndex",
"Projection": {
# /root/bin/aws dynamodb scan --table-name MysfitsTable --region ap-south-1
{
"Count": 12,
"Items": [
{
"Description": {
"S":
$ kubectl exec -it my-pod-noaccess -- bash# /root/bin/aws dynamodb describe-table --table-name MysfitsTable --region ap-south-1

An error occurred (AccessDeniedException) when calling the DescribeTable operation: User: arn:aws:sts::xx:assumed-role/eksctl-ekscluster-1-nodegroup-ng-NodeInstanceRole-xxx/i-xxxx is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:ap-south-1:xxx:table/MysfitsTable
# /root/bin/aws dynamodb scan --table-name MysfitsTable --region ap-south-1

An error occurred (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts::xxxx:assumed-role/eksctl-ekscluster-1-nodegroup-ng-NodeInstanceRole-xxx/i-xxxx is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:ap-south-1:xxxxx:table/MysfitsTable

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mani

Mani

297 Followers

News freak, Technology geek, hard-core Bangalorean, all things Internet related !! Interested in building a modern, strong & democratic India !!