Configure IRSA for AWS Elastic Kubernetes Service (EKS)
To use AWS Elastic Kubernetes Service (EKS) with TF-controller, you can leverage IAM Roles for Service Accounts (IRSA)
as a way to provide credentials to the Terraform runners (tf-runner
pods).
IRSA allows you to create IAM roles that can be assumed by the identity provider for your Kubernetes cluster,
which can then be used by the pods running in the cluster to access AWS resources.
This can be especially useful for automating infrastructure management tasks using TF-controller.
To set up IRSA for use with TF-controller, you will need to follow a few steps to associate an OpenID Connect (OIDC) provider with your EKS cluster,
create a trust policy for the IAM role, and annotate the ServiceAccount for the tf-runner
with the Role ARN.
In this document, we will walk you through these steps in detail so that you can use IRSA with TF-controller in your EKS cluster.
To use AWS Elastic Kubernetes Service (EKS) with TF-controller, you will need to follow these steps:
Use eksctl to associate an OpenID Connect (OIDC) provider with your EKS cluster. This can be done by running the following command:
eksctl utils associate-iam-oidc-provider --cluster CLUSTER_NAME --approve
Replace
CLUSTER_NAME
with the name of your EKS cluster. This command will create an IAM OIDC provider and associate it with your EKS cluster.Follow the instructions in the AWS documentation to add a trust policy to the IAM role that grants the necessary permissions for Terraform. Make sure to use the
namespace:serviceaccountname
offlux-system:tf-runner
. This will give you a Role ARN that you will need in the next step.Annotate the ServiceAccount for the
tf-runner
with the obtained Role ARN in your cluster. You can do this by running the following command:kubectl annotate -n flux-system serviceaccount tf-runner eks.amazonaws.com/role-arn=ROLE_ARN
Replace
ROLE_ARN
with the Role ARN obtained in the previous step.If you are deploying TF-controller using Helm, you can pass the Role ARN as an annotation to the
tf-runner
ServiceAccount in your Helm values file. This can be done by adding the following block to your values file:values:
runner:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: ROLE_ARN
By following these steps, you will be able to use the Terraform controller with your EKS cluster and provide the necessary AWS credentials for performing plans and applies.