Skip to main content

Access AWS resources

Your application may depend on an AWS S3 bucket, SQS Queue, SNS topic, DynamoDB table and so on.

Follow this guide to let your app running within app environment (in Kubernetes cluster) have role-based keyless access to these cloud managed resources.

info

We use IAM Role for Service account (IRSA) concept to get your containers access AWS resources. Although not required immediately, to learn more about it at conceptual level, visit AWS guide here.

You must carry out steps during

  1. Helm chart packaging process and
  2. App environment deployment process

During Helm chart packaging process:​

In each of your pod specifications within deployment yaml spec, use the service account app-service-account. See serviceAccountName key in example below:

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: apppfho-1
  name: aws-cli-deployment
  labels:
    app: aws-cli
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aws-cli
  template:
    metadata:
      labels:
        app: aws-cli
    spec:
      serviceAccountName: app-service-account
      containers:
        - name: aws-cli
          image: amazon/aws-cli:latest
          command: ['/bin/sh', '-c', 'sleep infinity']
          resources:
            limits:
              memory: '256Mi'
              cpu: '500m'
          stdin: true
          tty: true

Add the above exact serviceAccountName key and value app-service-account inside each deployment spec which intends to access cloud resources like s3.

We create this service account app-service-account within the same kubernetes namespace where your app containers are running and provision a unique IAM role to get used by the same service account. Your app containers will use this service account which will implicitly use the unique IAM role to access cloud resources.

To ensure that the IAM role has all AWS permissions required by your app, follow the remaining steps below.

During App environment deployment:​

Steps:​

  1. Create environment: As a first step, create your app environment. This will bring up the kubernetes cluster and run your app within. It will also create the unique IAM role we mentioned above.
  2. Create resources: Secondly, create all required aws resources within the target AWS account. Like S3 bucket, SQS queue, SNS topic, etc.,
  3. Add permissions: As the last step, navigate inside the target AWS account console and visit IAM console. Find the role that starts with "env-*" and ends with "*-app-role". Example - env-localabc61-iam-app-role. This is the role that got provisioned when the app environment was created and it is used by the service account app-service-account mentioned above. Within this IAM role, in Permissions tab, add all IAM policies relevant for your app, potentially referencing the cloud resources you created in step 2 above.
caution

Do not modify any other property of the IAM role seen in step 3. Especially the "Trust relationships" setting. Otherwise, your app will see 403 forbidden errors from AWS while accessing cloud resources.

After you complete step 3, your app containers will automatically have role-based keyless access to the cloud resources you created. If you need further assistance here, please reach out to LocalOps team.