Deploy Sample Pod

Now that we have completed all the necessary configuration, we will run two kubernetes jobs with the newly created IAM role:

  • job-s3.yaml: that will output the result of the command aws s3 ls (this job should be successful).
  • job-ec2.yaml: that will output the result of the command aws ec2 describe-instances --region ${AWS_REGION} (this job should failed).

Before deploying the workloads, make sure to have the environment variables AWS_REGION and ACCOUNT_ID configured in your terminal prompt.

List S3 buckets

Let’s start by testing if the service account can list the S3 buckets

mkdir ~/environment/irsa

cat <<EoF> ~/environment/irsa/job-s3.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: eks-iam-test-s3
spec:
  template:
    metadata:
      labels:
        app: eks-iam-test-s3
    spec:
      serviceAccountName: iam-test
      containers:
      - name: eks-iam-test
        image: amazon/aws-cli:latest
        args: ["s3", "ls"]
      restartPolicy: Never
EoF

kubectl apply -f ~/environment/irsa/job-s3.yaml

Make sure your job is completed.

kubectl get job -l app=eks-iam-test-s3

Output:


NAME              COMPLETIONS   DURATION   AGE
eks-iam-test-s3   1/1           2s         21m

Let’s check the logs to verify that the command ran successfully.

kubectl logs -l app=eks-iam-test-s3

Output:


2021-07-17 20:09:41 eksworkshop-eksctl-helm-charts
2021-07-18 19:22:37 eksworkshop-logs

If the output lists some buckets, please move on to List EC2 Instances. If not, it is possible your account doesn’t have any s3 buckets. Please try to run theses extra commands.

Let’s create an S3 bucket.

aws s3 mb s3://eksworkshop-$ACCOUNT_ID-$AWS_REGION --region $AWS_REGION

Output:


make_bucket: eksworkshop-40XXXXXXXX75-us-east-1

Now, let’s try that job again. But first, we should remove the old job.

kubectl delete job -l app=eks-iam-test-s3

Then we can re-create the job.

kubectl apply -f ~/environment/irsa/job-s3.yaml

Finally, we can have a look at the output.

kubectl logs -l app=eks-iam-test-s3

Output:


2021-07-21 14:06:24 eksworkshop-40XXXXXXXX75-us-east-1

List EC2 Instances

Now Let’s confirm that the service account cannot list the EC2 instances

cat <<EoF> ~/environment/irsa/job-ec2.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: eks-iam-test-ec2
spec:
  template:
    metadata:
      labels:
        app: eks-iam-test-ec2
    spec:
      serviceAccountName: iam-test
      containers:
      - name: eks-iam-test
        image: amazon/aws-cli:latest
        args: ["ec2", "describe-instances", "--region", "${AWS_REGION}"]
      restartPolicy: Never
  backoffLimit: 0
EoF

kubectl apply -f ~/environment/irsa/job-ec2.yaml

Let’s verify the job status

kubectl get job -l app=eks-iam-test-ec2

Output:


NAME               COMPLETIONS   DURATION   AGE
eks-iam-test-ec2   0/1           39s        39s

It is normal that the job didn’t complete succesfuly.

Finally we will review the logs

kubectl logs -l app=eks-iam-test-ec2

Output:


An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.