amazon-web-serviceskubernetesterraformamazon-iamamazon-eks

What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?

AWS supports IAM Roles for Service Accounts (IRSA) that allows cluster operators to map AWS IAM Roles to Kubernetes Service Accounts.

To do so, one has to create an iamserviceaccount in an EKS cluster:

eksctl create iamserviceaccount \
    --name <AUTOSCALER_NAME> \
    --namespace kube-system \
    --cluster <CLUSTER_NAME> \
    --attach-policy-arn <POLICY_ARN> \
    --approve \
    --override-existing-serviceaccounts

The problem is that I don't want to use the above eksctl command because I want to declare my infrastructure using terraform.

Does eksctl command do anything other than creating a service account? If it only creates a service account, what is the YAML representation of it?

Solution

  • After Vasili Angapov's helps, now I can answer the question:

    Yes It does more than just creating a service account. It does three things:

    1. It Creates an IAM role.
    2. It attaches the desired iam-policy (--attach-policy-arn <POLICY_ARN>) to the created IAM role.
    3. It creates a new kubernetes service account annotated with the arn of the created IAM role.

    Now It's easy to declare the above steps using kubernetes and aws providers in terraform.