amazon-web-servicesamazon-ekscrossplane

How to set up AWS EksPodIdentity using crossplane provider


I have tried setting up any kind of AWS provider with authentication of EKSPodIdentity with no luck, can't find any documentation expect this and it doesnt seem to work

I have set up EKSPodIdentity following AWS documentation, added OIDC provider and everything looks to be configured properly, but I still get this error:

crossplane annot get credentials: no extraction handler registered for source: PodIdentity

Solution

  • I have found the issue, the serviceaccounttemplate parameter was wrong, plus, you have to set up the crossplane's service account appropriately, apperently, EKS requires a specific annotation for the service account, according to this documentation , which in my case had to be added via the crossplane helm & terraform since thats how I installed it, like this:

    resource "helm_release" "crossplane" {
      name       = "crossplane"
      repository = "https://charts.crossplane.io/stable"
      namespace  = var.crossplane_config.namespace
      create_namespace = true
      chart      = "crossplane"
      version    = "1.19.1"
      timeout    = "300"
      values = [<<EOF
        serviceAccount:
          name: "${var.crossplane_config.service_account_name}"
          customAnnotations:
            "eks.amazonaws.com/role-arn": "${aws_iam_role.crossplane_oidc_role.arn}"
        EOF
      ]
    }
    

    Additionally, notice the service account name specification, I've made sure it matches the DeploymentRuntimeConfig Crossplane resource:

    apiVersion: pkg.crossplane.io/v1beta1
    kind: DeploymentRuntimeConfig
    metadata:
      name: podidentity-drc
    spec:
      serviceAccountTemplate:
        metadata:
          name: crossplane
    ---
    apiVersion: pkg.crossplane.io/v1beta1
    kind: DeploymentRuntimeConfig
    metadata:
      name: default
    spec:
      serviceAccountTemplate:
        metadata:
          name: crossplane
    ---
    apiVersion: pkg.crossplane.io/v1
    kind: Provider
    metadata:
      name: provider-aws
    spec:
      package: xpkg.upbound.io/upbound/provider-aws-s3:v1
      runtimeConfigRef:
        name: podidentity-drc