We have a new EKS cluster 1.30 on our project, where we want to completely remove the old IRSA with OIDC and start using EKS Pod Identities — see AWS: EKS Pod Identities — a replacement for IRSA…

ITNEXT is a platform for IT professionals, developers, and technology enthusiasts, offering articles, tutorials, and insights on a wide range of topics, including software development, cloud computing, and machine learning. With a focus on practical solutions and real-world applications, ITNEXT provides actionable advice and best practices for navigating the complexities of modern technology landscapes. Developers can learn about  technologies, explore hands-on tutorials, and stay up-to-date on the latest industry trends through ITNEXT's engaging and informative content.

ITNEXT

The post covers the transition from IRSA with OIDC to EKS Pod Identities for managing IAM access in a new EKS cluster. It highlights the challenges faced when using Kubernetes Secrets Store CSI Driver to sync AWS Secrets Manager with Kubernetes Secrets, specifically the IAM role association issue. A solution using External Secrets Operator (ESO) is proposed, which simplifies the process and offers flexibility with multiple providers. Detailed steps for installing ESO, configuring AWS IAM roles and policies, and creating Kubernetes Secrets are provided.

AWS: Kubernetes and External Secrets Operator for AWS Secrets Manager

The problem: Kubernetes Secrets Store CSI Driver and “An IAM role must be associated with service account”

Installing External Secrets Operator with Helm

Creating an IAM Role for EKS Pod Identity

Creating a Kubernetes Secrets from AWS Secrets Manager