Migrating from kube2iam to IAM roles for Service Accounts (IRSA)

Since the beginnning when we started rolling out our K8s-based reference solution towards customers, we’ve been handling application access to AWS resources via kube2iam.

Last year, AWS introduced IAM roles for Service Accounts as an alternative to provide fine-grained access to AWS resources for applications running on EKS. This solution comes with several benefits compared to kube2iam or others:

  • It’s already integrated into EKS, no need to run an extra Daemonset to intercept IAM authentication requests
  • We can completely block Pod-level access to the K8s node-level’s EC2 metadata service
  • Similar ease of use

By the time of writing, we’ve enabled support for IRSA on all our clusters. Also most of our Addons (*), upstream applications we deploy on each cluster to provide extra functionality like automated SSL certificates, monitoring and so on, have been updated to use IRSA.

(*) Note: The exception is Vault. We’re waiting on the release of 1.5.0 which should come with the necessary support

Action needed

Every customer using IAM roles for their Pods through kube2iam will have to migrate to using IRSA. Once everything is migrated we will disable support for kube2iam.

You’ll notice a migration Issue in your GitHub repository and each Lead will get in touch with you to determine the best migration path. Meanwhile you can already check out the documentation below.