amazon-web-serviceskubernetesamazon-s3amazon-eksk8s-serviceaccount

Kubernetes service account to access AWS S3 for different users in the container


I have an EKS deployment with a service account with policy and role that enable access to S3.

This works well for root account in the container. The container can execute aws s3 cp ... with no issue.

The problem is that another user cannot. It gets AccessDenied from the S3 service, meaning it does not have the correct credentials.

So my question is: how to give rights to another user in the container (which is linux based) in this case?

(I don't think it's specific to Eks as service accounts are generic to kubernetes.)


Solution

  • You can check out the reference for how IAM roles for service accounts work in k8s here.
    In short, in order to allow another user to use the IAM role the same environment variables have to be configured for that user, and it needs to be able to access the path specified in the AWS_WEB_IDENTITY_TOKEN_FILE variable.
    Once both of these prerequisites are met, the user should be able to use the same identity as the root user.