Skip to main content
Presentation

IRSA Evolved: Transparent AWS Access by Any Kubernetes Workload

AWS provides a transparent way of using a Kubernetes service account and tying it to a specific IAM role running in that same AWS account. Amazon has dubbed this functionality ""IAM Roles for Service Accounts"" (IRSA) and, while relatively simple to setup, it has some notable shortcomings. What if the Kubernetes cluster isn't EKS? What if it isn't in the same AWS account? Or what if you need access to multiple AWS accounts at the same time? The box before you contains an OpenShift cluster configured with the Vault Injector, a Vault cluster configured with AWS secrets engines, and a workload that runs on this OpenShift cluster that is just starting the ""crawl"" phase of its integration with Vault. Together we will discuss how these components can merge together to form a more powerful alternative to Amazon's IRSA. Our Kubernetes workload will have AWS authentication handled transparently and refreshed automatically such that any program using official AWS SDKs may use it out-of-box.

AWS provides a transparent way of using a Kubernetes service account and tying it to a specific IAM role running in that same AWS account. Amazon has dubbed this functionality "IAM Roles for Service Accounts" (IRSA) and, while relatively simple to setup, it has some notable shortcomings. What if the Kubernetes cluster isn't EKS? What if it isn't in the same AWS account? Or what if you need access to multiple AWS accounts at the same time?

The box before you contains an OpenShift cluster configured with the Vault Injector, a Vault cluster configured with AWS secrets engines, and a workload that runs on this OpenShift cluster that is just starting the "crawl" phase of its integration with Vault.

Together we will discuss how these components can merge together to form a more powerful alternative to Amazon's IRSA. Our Kubernetes workload will have AWS authentication handled transparently and refreshed automatically such that any program using official AWS SDKs may use it out-of-box.

More resources like this one

4/11/2024FAQ

Introduction to HashiCorp Vault

Vault identity diagram
12/28/2023FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

3/28/2023Presentation

Hidden Hazards: Unique Burnout Risks in Tech

3/28/2023Presentation

Vault and Boundary - Managing Secrets at Home