NOTE: The Terraform code in this repo is intended to accompany the linked article, which takes a hands-on deep-dive into the various options that are avaliable to control access between AWS and EKS clusters.
This will spin up an EKS cluster in AWS that can be used to explore authentication and authorization options.
NOTE: This is for example only. Spinning this up will cost you money and there are no guarantees that this is secure, so use this with appropriate caution.
You will need at least one, but preferably two AWS accounts that you have full access to, and you will also need to have the AWS CLI. the Terraform CLI, and most likely kubectl installed.
To do most of the examples, you only need a single account and profile, but if you are going to try and do them all then you will need 2 AWS accounts and two profiles, very similar to these:
~/.aws/config
[profile aws-auth-account-one]
region=us-west-2
output=yaml-stream
[profile aws-auth-account-two]
region=us-west-2
output=yaml-stream~/.aws/credentials
[aws-auth-account-one]
aws_access_key_id=REDACTED_ACCESS_KEY
aws_secret_access_key=REDACTED_SECRET_ACCESS_KEY
[aws-auth-account-two]
aws_access_key_id=REDACTED_ACCESS_KEY
aws_secret_access_key=REDACTED_SECRET_ACCESS_KEYIf you have two AWS accounts to work with, then you should uncomment all the Terraform code in
second-account.tf. However, if you have only one account then go ahead and leave it commented out, so that everything else will continue to work as expected.
You will also need to know the username for your IAM user in account one (e.g. ajohnson), so that you can pass this information to Terraform.
NOTE: There are other ways to configure these credentials, but this is the easiest way to explain and document. If you are familiar enough with all of this, feel free to tweak things to your liking.
Once these profiles are in place and configured with valid credentials then you should be able to spin up the infrastructure with:
terraform init
terraform plan -var dev_role_id=$(aws --profile aws-auth-account-one iam get-user --output text --query 'User.UserName')
terraform apply -var dev_role_id=$(aws --profile aws-auth-account-one iam get-user --output text --query 'User.UserName')NOTE: It can easily take 15-20 minutes for the whole environment to spin up or down.
When you are done you should tear down the infrastructure with:
terraform destroy- IMPORTANT: All developers committing any code to this repo, should have these pre-commit hooks installed locally. Github actions may also run these at some point, but it is generally faster and easier to run them locally, in most cases.
brew install pre-commit terraform-docs tfenv tflint tfsec checkov terrascan infracost tfupdate minamijoyo/hcledit/hcledit jq shellcheck shfmt git-secrets
mkdir -p ${HOME}/.git-template/hooks
git config --global init.templateDir ${HOME}/.git-template- Close and reopen your terminal
- Make sure that you run these commands from the root of this git repo!
cd aws-eks-auth-examples
pre-commit init-templatedir -t pre-commit ${HOME}/.git-template
pre-commit install- Test it
pre-commit run -a
git diffSee:
| Name | Version |
|---|---|
| terraform | >= 1.5.7 |
| aws | ~> 5.44 |
| kubernetes | ~> 2.28 |
| Name | Version |
|---|---|
| aws | ~> 5.44 |
| Name | Description | Type | Required |
|---|---|---|---|
| cluster_name | Kubernetes cluster name | string |
no |
| create_access_entries | Should we create the access entries? | bool |
no |
| create_test_users | Should we create the test IAM users and keys? | bool |
no |
| dev_role_id | AWS IAM username for the primary user/owner | string |
no |
| k8s_version | Kubernetes cluster version | string |
no |
| setup_cross_account_sts | Should we setup the cross account STS components? | bool |
no |
| setup_irsa | Should we setup the IRSA components? | bool |
no |
| setup_pod_identity | Should we setup the Pod Identity components? | bool |
no |
| vpc_cidr | AWS VPC CIDR | string |
no |
| Name | Description |
|---|---|
| aws_iam_keys_user_one | UserOne's AWS access and secret key. |
| aws_iam_keys_user_three | UserThree's AWS access and secret key. |
| aws_iam_keys_user_two | UserTwo's AWS access and secret key. |
| ec2_irsa_role_arn | The role ARN that needs to be added to Kubernetes Service Account annotations for IRSA. |