Grant Kubernetes Pods Access to AWS Services Using OpenID Connect¶
Learn how to establish a trust relationship between a Kubernetes cluster and AWS IAM to grant cluster generated Service Account tokens access to AWS services using OIDC & without storing long-lived credentials.
In our previous post, we discussed what OpenID Connect (OIDC) is and how to use it to authenticate identities from one system to another.
We covered why it is crucial to avoid storing long-lived credentials and the benefits of employing OIDC for the task of authentication.
We also covered a practical example of authenticating GitHub runners to AWS IAM by establishing a trust relationship between GitHub and AWS using OIDC.
In this post, we will take it one step further and provide a way for the pods of our Kubernetes cluster to authenticate to AWS services using OIDC.
This post will provide a walkthrough of granting such access to a bear-metal Kubernetes cluster (k3s1) using only the power of OpenID Connect protocol. In a later post, we'll show you how easy it is to achieve the same with a managed Kubernetes cluster like Azure Kubernetes Service (AKS)2. But, first let's understand the fundamentals by trying it on a bear-metal cluster.
