Description
openedon Jun 22, 2020
Describe the feature:
Support the use of AWS EKS IAM roles for service accounts.
This requires two things to take place:
-
Filebeat (and potentially other charts) do not appear to be use an AWS SDK version that supports assuming an IAM role via an OIDC web identity token file (sts:AssumeRoleWithWebIdentity). This is required in order to use EKS's IAM roles for service accounts feature. AWS SDK version requirements are here.
-
Charts also need to support service account annotations described in issue Please allow annotations for the ServiceAccount resources in your charts #627
Describe a specific use case for the feature:
Provide AWS IAM roles to pods instead of supplying credentials directly in configuration. Adding the following annotation to the service account would allow the use of the corresponding role.
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT-ID>:role/<ROLE-NAME>