Using workload identity with AWS

This topic describes how to enable workload identity for your GKE on AWS workloads to control their access to AWS resources.

For information about using workload identity with Google Cloud Identity and Access Management (IAM) accounts to control access to GCP resources, see Using workload identity with Google Cloud.

Overview

Workload identity uses AWS IAM permissions to control access to cloud resources. With workload identity, you can assign different IAM roles to each workload. This fine-grained control of permissions lets you follow the principle of least privilege. Without workload identity, you must assign AWS IAM roles to your GKE on AWS nodes, giving all workloads on the node the same permissions as the node itself.

To enable workload identity for your cluster, complete the following steps, which are grouped by the administrative roles that perform them.

Cluster administrator

1. Create a Cloud Storage bucket to store OIDC discovery data.
2. Create an Identity and Access Management role to read from that bucket.
3. Create a user cluster with workload identity enabled.
4. Create a webhook on your cluster that applies workload identity credentials to Pods on creation. If you don't want to use the webhook, you can manually set environment variables in your pods.
5. Configure the AWS OIDC provider.
6. Create AWS IAM roles and policies.

6. Create Kubernetes service accounts, and bind AWS policies to them.

7. Apply credentials to your Pods.

Prerequisites

To complete the steps in this document, you must have the following setup:

• An GKE on AWS management service.

• User clusters that are running a Kubernetes version greater than 1.17.9.

• The following permissions and tools.

Permissions

To create a cluster with workload identity enabled, you need the following permissions:

Google Cloud

• Create a publicly readable Cloud Storage bucket with uniform bucket-level access enabled.
• Grant management-sa@PROJECT_NAME.iam.gserviceaccount.com read/write permissions to the bucket.

AWS

• Create an AWS OIDC provider
• Create AWS IAM roles

Tools

On your local machine, we recommend having the jq tool installed.

Creating the OIDC discovery bucket

This section is for cluster administrators.

Your user cluster needs to store the OIDC discovery data in a publicly accessible Cloud Storage bucket. The bucket includes OIDC discovery configuration and public keys. AWS uses the contents to authenticate requests from your user clusters.

Your bucket must have the following attributes:

• Be publicly readable.
• Have uniform bucket-level access enabled.

If you don't have a bucket with these attributes, create one by using the following gcloud storage commands:

BUCKET=BUCKET_NAME gcloud storage buckets create gs://${BUCKET} --uniform-bucket-level-access gcloud storage buckets add-iam-policy-binding gs://${BUCKET} \  --member=allUsers --role=roles/storage.objectViewer 

Replace BUCKET_NAME with the name of your new bucket.

Grant the management service account permissions

The Identity and Access Management service account for the GKE on AWS management service needs permissions to read and write objects into this bucket.

1. Grant your management service account permissions by using the following command.

   MANAGEMENT_SA=management-sa@PROJECT_NAME.iam.gserviceaccount.com gcloud storage buckets add-iam-policy-binding gs://${BUCKET} \  --member=serviceAccount:${MANAGEMENT_SA} \  --role=roles/storage.admin 

   Replace PROJECT_NAME with your Google Cloud project.

2. Create a new IAM role with permissions to manage this bucket. To create the role, first save the role definition to a file, then create the role and bind the role to your management service account.

   To complete these steps, run the following commands:

   cat << EOF > anthos-oidc-role.yaml title: anthosAwsOidcStorageAdmin description: permissions to manage the OIDC buckets stage: GA includedPermissions: - storage.buckets.get EOF gcloud iam roles create anthosAwsOidcStorageAdmin --project=PROJECT_NAME \  --file=anthos-oidc-role.yaml gcloud projects add-iam-policy-binding \  PROJECT_NAME \  --member=serviceAccount:${MANAGEMENT_SA} \  --role=projects/PROJECT_NAME/roles/anthosAwsOidcStorageAdmin 

   Replace PROJECT_NAME with your Google Cloud project.

   The Google Cloud CLI confirms that the policy binding is created.

Creating a user cluster

This section is for cluster administrators.

Create a user cluster with workload identity enabled

Create a user cluster that contains details about your OIDC discovery bucket. You set this information in your AWSCluster's spec.controlPlane.workloadIdentity.oidcDiscoveryGCSBucket field.

In this example, you create a cluster manually from AWSCluster and AWSNodePool CRDs.

1. Change to the directory with your GKE on AWS configuration. You created this directory when Installing the management service.

   cd anthos-aws

2. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

3. Open a text editor and copy the following AWSCluster definition into a file named custom-cluster.yaml.

   apiVersion: multicloud.cluster.gke.io/v1 kind: AWSCluster metadata:  name: CLUSTER_NAME spec:  region: AWS_REGION  networking:  vpcID: VPC_ID  podAddressCIDRBlocks: POD_ADDRESS_CIDR_BLOCKS  serviceAddressCIDRBlocks: SERVICE_ADDRESS_CIDR_BLOCKS  ServiceLoadBalancerSubnetIDs: SERVICE_LOAD_BALANCER_SUBNETS  controlPlane:  version: CLUSTER_VERSION # Latest version is 1.25.5-gke.2100  instanceType: AWS_INSTANCE_TYPE  keyName: SSH_KEY_NAME  subnetIDs:  - CONTROL_PLANE_SUBNET_IDS  securityGroupIDs:  - CONTROL_PLANE_SECURITY_GROUPS  iamInstanceProfile: CONTROL_PLANE_IAM_ROLE  rootVolume:  sizeGiB: ROOT_VOLUME_SIZE  volumeType: ROOT_VOLUME_TYPE # Optional  iops: ROOT_VOLUME_IOPS # Optional  kmsKeyARN: ROOT_VOLUME_KEY # Optional  etcd:  mainVolume:  sizeGiB: ETCD_VOLUME_SIZE  volumeType: ETCD_VOLUME_TYPE # Optional  iops: ETCD_VOLUME_IOPS # Optional  kmsKeyARN: ETCD_VOLUME_KEY # Optional  databaseEncryption:  kmsKeyARN: ARN_OF_KMS_KEY  hub: # Optional  membershipName: ANTHOS_CONNECT_NAME  cloudOperations: # Optional  projectID: YOUR_PROJECT  location: GCP_REGION  enableLogging: ENABLE_LOGGING  enableMonitoring: ENABLE_MONITORING  workloadIdentity: # Optional  oidcDiscoveryGCSBucket: WORKLOAD_IDENTITY_BUCKET 

   Replace the following:

   • CLUSTER_NAME: the name of your cluster.

   • AWS_REGION: the AWS region where your cluster runs.

   • VPC_ID: the ID of the VPC where your cluster runs.

   • POD_ADDRESS_CIDR_BLOCKS: the range of IPv4 addresses used by the cluster's pods. Currently only a single range is supported. The range must not overlap with any subnets reachable from your network. It is safe to use the same range across multiple different AWSCluster objects. For example, 10.2.0.0/16.

   • SERVICE_ADDRESS_CIDR_BLOCKS: the range of IPv4 addresses used by the cluster's services. Currently only a single range is supported. The range must not overlap with any subnets reachable from your network. It is safe to use the same range across multiple different AWSCluster objects. For example, 10.1.0.0/16.

   • SERVICE_LOAD_BALANCER_SUBNETS: the subnet IDs where GKE on AWS can create public or private load balancers.

   • CLUSTER_VERSION: a Kubernetes version supported by GKE on AWS. The most recent version is 1.25.5-gke.2100.

   • AWS_INSTANCE_TYPE: a supported EC2 instance type.

   • SSH_KEY_NAME: an AWS EC2 key pair.

   • CONTROL_PLANE_SUBNET_IDS: the subnet IDs in the AZs where your control plane instances run.

   • CONTROL_PLANE_SECURITY_GROUPS: a securityGroupID created during the management service installation. You can customize this by adding any securityGroupIDs required to connect to the control plane.

   • CONTROL_PLANE_IAM_PROFILE: name of the AWS EC2 instance profile assigned to control plane replicas.

   • ROOT_VOLUME_SIZE: the size, in gibibyte (GiB), of your control plane root volumes.

   • ROOT_VOLUME_TYPE with the EBS volume type. For example, gp3.

   • ROOT_VOLUME_IOPS with the amount of provisioned IO operations per second (IOPS) for the volume. Only valid when volumeType is GP3. For more information, see General Purpose SSD volumes (gp3).

   • ROOT_VOLUME_KEY with the Amazon Resource Name of the AWS KMS key that encrypts your control plane instance root volumes.

   • ETCD_VOLUME_SIZE: the size of volumes used by etcd.

   • ETCD_VOLUME_TYPE with the EBS volume type. For example, gp3.

   • ETCD_VOLUME_IOPS with the amount of provisioned IO operations per second (IOPS) for the volume. Only valid when volumeType is gp3. For more information, see General Purpose SSD volumes (gp3).

   • ETCD_VOLUME_KEY with the Amazon Resource Name of the AWS KMS key that encrypts your control plane etcd data volumes.

   • ARN_OF_KMS_KEY: the AWS KMS key used to encrypt cluster Secrets.

   • ANTHOS_CONNECT_NAME: the Connect membership name used to register your cluster. The membership name must be unique. For example, projects/YOUR_PROJECT/locations/global/memberships/CLUSTER_NAME, where YOUR_PROJECT is your Google Cloud project and CLUSTER_NAME is a unique name in your project. This field is optional.

   • YOUR_PROJECT: your project ID.

   • GCP_REGION: the Google Cloud region where you want to store logs. Choose a region that is near the AWS region. For more information, see Global Locations - Regions & Zones — for example, us-central1.

   • ENABLE_LOGGING: true or false, whether Cloud Logging is enabled on control plane nodes.

   • ENABLE_MONITORING: true or false, whether Cloud Monitoring is enabled on control plane nodes.

   • WORKLOAD_IDENTITY_BUCKET: the Cloud Storage bucket name containing your workload identity discovery information. This field is optional.

4. Create one or more AWSNodePools for your cluster. Open a text editor and copy the following AWSCluster definition into a file named custom-nodepools.yaml.

    apiVersion: multicloud.cluster.gke.io/v1 kind: AWSNodePool metadata: name: NODE_POOL_NAME spec: clusterName: AWSCLUSTER_NAME version: CLUSTER_VERSION # latest version is 1.25.5-gke.2100 region: AWS_REGION subnetID: AWS_SUBNET_ID minNodeCount: MINIMUM_NODE_COUNT maxNodeCount: MAXIMUM_NODE_COUNT maxPodsPerNode: MAXIMUM_PODS_PER_NODE_COUNT instanceType: AWS_NODE_TYPE keyName: KMS_KEY_PAIR_NAME iamInstanceProfile: NODE_IAM_PROFILE proxySecretName: PROXY_SECRET_NAME rootVolume: sizeGiB: ROOT_VOLUME_SIZE volumeType: VOLUME_TYPE # Optional iops: IOPS # Optional kmsKeyARN: NODE_VOLUME_KEY # Optional 

   Replace the following:

   • NODE_POOL_NAME: a unique name for your AWSNodePool.
   • AWSCLUSTER_NAME: your AWSCluster's name. For example, staging-cluster.
   • CLUSTER_VERSION: a supported GKE on AWS Kubernetes version.
   • AWS_REGION: the same AWS region as your AWSCluster.
   • AWS_SUBNET_ID: an AWS subnet in the same region as your AWSCluster.
   • MINIMUM_NODE_COUNT: the minimum number of nodes in the node pool. See Scaling user clusters for more information.
   • MAXIMUM_NODE_COUNT: the maximum number of nodes in the node pool.
   • MAXIMUM_PODS_PER_NODE_COUNT: the maximum number of pods that GKE on AWS can allocate to a node.
   • AWS_NODE_TYPE: an AWS EC2 instance type.
   • KMS_KEY_PAIR_NAME: the AWS KMS key pair assigned to each node pool worker.
   • NODE_IAM_PROFILE: the name of the AWS EC2 instance profile assigned to nodes in the pool.
   • ROOT_VOLUME_SIZE: the size, in gibibyte (GiB), of your control plane root volumes.
   • VOLUME_TYPE: the node's AWS EBS volume type. For example, gp3.
   • IOPS: the amount of provisioned IO operations per second (IOPS) for volumes. Only valid when volumeType is gp3.
   • NODE_VOLUME_KEY: the ARN of the AWS KMS key used to encrypt the volume. For more information, see Using a customer managed CMK to encrypt volumes.

5. Apply the manifests to your management service.

   env HTTPS_PROXY=http://localhost:8118 \  kubectl apply -f custom-cluster.yaml env HTTPS_PROXY=http://localhost:8118 \  kubectl apply -f custom-nodepools.yaml 

Create a kubeconfig

While your user cluster starts, you can create a kubeconfig context for your new user cluster. You use the context to authenticate to a user or management cluster.

1. Use anthos-gke aws clusters get-credentials to generate a kubeconfig for your user cluster in ~/.kube/config.

   env HTTPS_PROXY=http://localhost:8118 \  anthos-gke aws clusters get-credentials CLUSTER_NAME 

   Replace CLUSTER_NAME with your cluster's name. For example, cluster-0.

2. Use kubectl to authenticate to your new user cluster.

   env HTTPS_PROXY=http://localhost:8118 \  kubectl cluster-info 

   If your cluster is ready, the output includes the URLs for Kubernetes components within your cluster.

Viewing your cluster's status

The management service provisions AWS resources when you apply an AWSCluster or AWSNodePool.

1. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

2. To list your clusters, use kubectl get AWSClusters.

   env HTTPS_PROXY=http://localhost:8118 \  kubectl get AWSClusters 

   The output includes each cluster's name, state, age, version, and endpoint.

   For example, the following output includes only one AWSCluster named cluster-0:

   NAME STATE AGE VERSION ENDPOINT cluster-0 Provisioning 2m41s 1.25.5-gke.2100 gke-xyz.elb.us-east-1.amazonaws.com 

View your cluster's events

To see recent Kubernetes Events from your user cluster, use kubectl get events.

1. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

2. Run kubectl get events.

   env HTTPS_PROXY=http://localhost:8118 \  kubectl get events 

The output includes information, warning, and errors related to from your management service.

Creating the workload identity webhook

This section is for cluster administrators.

To provide workload identity credentials to your workloads with no additional configuration, you can optionally create a webhook on your user clusters. This webhook intercepts Pod creation requests and then makes the following AWS IAM information available as environment variables to the Pod:

• AWS_ROLE_ARN: the Amazon Resource Name (ARN) of the IAM role
• aws-iam-token: the token exchanged for AWS IAM credentials
• AWS_WEB_IDENTITY_TOKEN_FILE: the path where the token is stored

With these variables, your workloads can call the AWS command-line tool or SDK can access the resources granted to the AWS role.

Creating the webhook is optional. If you decide not to create the webhook, you need to set the environment variables listed previously in the Pod. For information about not using a webhook, see Applying credentials without the webhook.

Create YAML files for the webhook

To deploy the webhook, perform the following steps:

1. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

2. Get the user cluster name with kubectl:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl get awscluster 

   kubectl lists all your user clusters. Choose the user cluster you created with workload identity enabled.

3. Set the cluster's name in an environment variable.

   CLUSTER_NAME=CLUSTER_NAME 

   Replace CLUSTER_NAME with the name of your cluster. For example, cluster-0.

4. Set environment variables for the workload identity Pod image and namespace.

   IDENTITY_IMAGE=amazon/amazon-eks-pod-identity-webhook:ed8c41f WEBHOOK_NAMESPACE=workload-identity-webhook 

5. Generate the webhook YAML manifest in a file named aws-webhook.yaml by performing the following steps:

   env HTTPS_PROXY=http://localhost:8118 \  anthos-gke aws clusters get-credentials ${CLUSTER_NAME} CLUSTER_CA=$(env HTTPS_PROXY=http://localhost:8118 \  kubectl config view --raw -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"') cat << EOF > aws-webhook.yaml apiVersion: v1 kind: Namespace metadata:  name: ${WEBHOOK_NAMESPACE} --- apiVersion: v1 kind: ServiceAccount metadata:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} rules:  - apiGroups: ['']  resources: ['secrets']  verbs: ['create']  - apiGroups: ['']  resources: ['secrets']  verbs: ['get', 'update', 'patch']  resourceNames:  - pod-identity-webhook --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} roleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: pod-identity-webhook subjects:  - kind: ServiceAccount  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:  name: pod-identity-webhook rules:  - apiGroups: ['']  resources: ['serviceaccounts']  verbs: ['get', 'watch', 'list']  - apiGroups: ['certificates.k8s.io']  resources: ['certificatesigningrequests']  verbs: ['create', 'get', 'list', 'watch'] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:  name: pod-identity-webhook roleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: pod-identity-webhook subjects:  - kind: ServiceAccount  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} --- apiVersion: apps/v1 kind: Deployment metadata:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} spec:  replicas: 1  selector:  matchLabels:  app: pod-identity-webhook  template:  metadata:  labels:  app: pod-identity-webhook  spec:  serviceAccountName: pod-identity-webhook  containers:  - name: pod-identity-webhook  image: ${IDENTITY_IMAGE}  imagePullPolicy: Always  command:  - /webhook  - --in-cluster  - --namespace=${WEBHOOK_NAMESPACE}  - --service-name=pod-identity-webhook  - --tls-secret=pod-identity-webhook  - --annotation-prefix=eks.amazonaws.com  - --token-audience=sts.amazonaws.com  - --logtostderr  volumeMounts:  - name: webhook-certs  mountPath: /var/run/app/certs  readOnly: false  volumes:  - name: webhook-certs  emptyDir: {} --- apiVersion: v1 kind: Service metadata:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE}  annotations:  prometheus.io/port: '443'  prometheus.io/scheme: https  prometheus.io/scrape: 'true' spec:  ports:  - port: 443  targetPort: 443  selector:  app: pod-identity-webhook --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE} webhooks:  - name: pod-identity-webhook.amazonaws.com  failurePolicy: Ignore  sideEffects: 'None'  admissionReviewVersions: ['v1beta1']  clientConfig:  service:  name: pod-identity-webhook  namespace: ${WEBHOOK_NAMESPACE}  path: /mutate  caBundle: ${CLUSTER_CA}  rules:  - operations: ['CREATE']  apiGroups: ['']  apiVersions: ['v1']  resources: ['pods'] EOF 

   The contents of aws-webhook.yaml are ready to apply to your cluster.

Apply the webhook to your user cluster

To apply the webhook to your user cluster, perform the following steps.

1. Apply the aws-webhook.yaml file to your user cluster.

   env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f aws-webhook.yaml 

2. When you apply the manifest, the webhook Pod generates Kubernetes certificate signing requests (CSR). Approve all requests from system:serviceaccount:${WEBHOOK_NAMESPACE}:pod-identity-webhook with kubectl certificate approve.

   env HTTPS_PROXY=http://localhost:8118 \  kubectl certificate approve $(env HTTPS_PROXY=http://localhost:8118 \ &&\  kubectl get csr -o \  jsonpath="{.items[?(@.spec.username==\"system:serviceaccount:${WEBHOOK_NAMESPACE}:pod-identity-webhook\")].metadata.name}") 

3. Verify that there are no remaining unapproved CSRs.

   Use kubectl get csr to check that all CSRs from the requestor system:serviceaccount:${WEBHOOK_NAMESPACE}:pod-identity-webhook are approved:

   env HTTPS_PROXY=http://localhost:8118 \ kubectl get csr 

   Response:

   NAME AGE REQUESTOR CONDITION csr-mxrt8 10s system:serviceaccount:default:pod-identity-webhook Approved,Issued 

Configuring the AWS OIDC provider

This section is for cluster administrators.

To create an OIDC provider at AWS, AWS requires an intermediate Certificate Authority (CA) or server certificate thumbprint. Your OIDC discovery credentials are stored on storage.googleapis.com, with a certificate signed by an intermediate CA named GTS CA 1C3. The SHA-1 thumbprint of its intermediate CA GTS CA 1C3 is 08745487E891C19E3078C1F2A07E452950EF36F6.

To register your OIDC discovery bucket as an OIDC provider with AWS, perform the following steps:

1. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

2. Save the OIDC issuer URL, issuer host path, and Cloud Storage thumbprint in environment variables.

   ISSUER_URL=$(env HTTPS_PROXY=http://localhost:8118 \  kubectl get awscluster ${CLUSTER_NAME} -o jsonpath='{.status.workloadIdentityInfo.issuerURL}') ISSUER_HOSTPATH=${ISSUER_URL#"https://"} CA_THUMBPRINT=08745487E891C19E3078C1F2A07E452950EF36F6 

3. Use the aws command-line tool to create an OIDC provider on AWS.

   aws iam create-open-id-connect-provider \  --url ${ISSUER_URL} \  --thumbprint-list ${CA_THUMBPRINT} \  --client-id-list sts.amazonaws.com 

Update the thumbprint

If Google rotates the CA for storage.googleapis.com, run the following commands:

1. Copy the updated certificate thumbprint, 08745487E891C19E3078C1F2A07E452950EF36F6.

2. Follow the instructions for the aws iam update-open-id-connect-provider-thumbprint command. Use storage.googleapis.com as the target hostname and 08745487E891C19E3078C1F2A07E452950EF36F6 as the thumbprint.

Creating AWS IAM roles and policies

This section is for cluster administrators.

Create an AWS IAM role to bind to a Kubernetes service account. The IAM role has permissions for sts:AssumeRoleWithWebIdentity.

To create the role, perform the following steps:

1. Find or create an AWS IAM policy that grants the necessary permissions for your workloads.

   You need the policy's Amazon resource name (ARN) AWS IAM policy. For example, arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess.

2. Set environment variables with your authentication information.

   KSA_NAME=KUBERNETES_SERVICE_ACCOUNT WORKLOAD_NAMESPACE=WORKLOAD_IDENTITY_NAMESPACE AWS_ROLE_NAME=AWS_ROLE_NAME AWS_POLICY=EXISTING_AWS_POLICY 

   Replace the following:

   • KUBERNETES_SERVICE_ACCOUNT: the name of the new Kubernetes service account
   • WORKLOAD_IDENTITY_NAMESPACE: the name of the namespace where workloads run
   • AWS_ROLE_NAME: the name for a new AWS role for your workloads
   • EXISTING_AWS_POLICY: the Amazon resource name (ARN) of an existing AWS IAM policy For example, arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess.

3. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

4. Create an AWS IAM policy that allows your user cluster to assume temporary security credentials with the AWS Security Token Service:

   CLUSTER_ID=$(env HTTPS_PROXY=http://localhost:8118 \  kubectl get awscluster ${CLUSTER_NAME} -o jsonpath='{.status.clusterID}') # Get the ID Provider ARN PROVIDER_ARN=$(aws iam list-open-id-connect-providers \ | jq '.OpenIDConnectProviderList' \ | jq ".[] | select(.Arn | contains(\"${CLUSTER_ID}\"))" \ | jq '.Arn' | tr -d '"') # Create AWS role and policy cat > irp-trust-policy.json << EOF {  "Version": "2012-10-17",  "Statement": [  {  "Effect": "Allow",  "Principal": {  "Federated": "${PROVIDER_ARN}"  },  "Action": "sts:AssumeRoleWithWebIdentity",  "Condition": {  "StringEquals": {  "${ISSUER_HOSTPATH}:sub": "system:serviceaccount:${WORKLOAD_NAMESPACE}:${KSA_NAME}"  }  }  }  ] } EOF 

5. To create an AWS IAM role with this policy and attach your existing policy to the role, perform the following commands:

   aws iam create-role \  --role-name ${AWS_ROLE_NAME} \  --assume-role-policy-document file://irp-trust-policy.json aws iam update-assume-role-policy \  --role-name ${AWS_ROLE_NAME} \  --policy-document file://irp-trust-policy.json aws iam attach-role-policy \  --role-name ${AWS_ROLE_NAME} \  --policy-arn ${AWS_POLICY} 

   The aws command-line tool confirms that the policy is attached to your role.

Creating Kubernetes service accounts for workloads

This section is for developers or cluster administrators.

To create Kubernetes service accounts bound to the AWS IAM role that was specified previously, perform the following steps:

1. From your anthos-aws directory, use anthos-gke to switch context to your user cluster.

   cd anthos-aws env HTTPS_PROXY=http://localhost:8118 \ anthos-gke aws clusters get-credentials CLUSTER_NAME

   Replace CLUSTER_NAME with your user cluster name.

2. Create the Kubernetes service account by running the following commands:

   S3_ROLE_ARN=$(aws iam get-role \  --role-name AWS_ROLE_NAME \  --query Role.Arn --output text) cat << EOF > k8s-service-account.yaml apiVersion: v1 kind: ServiceAccount metadata:  name: ${KSA_NAME}  namespace: WORKLOAD_IDENTITY_NAMESPACE EOF env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f k8s-service-account.yaml env HTTPS_PROXY=http://localhost:8118 \ kubectl annotate sa --namespace ${WORKLOAD_NAMESPACE} ${KSA_NAME} eks.amazonaws.com/role-arn=${S3_ROLE_ARN} 

   Replace the following:

   • AWS_ROLE_NAME: the name of the AWS IAM role to apply to your workloads
   • WORKLOAD_IDENTITY_NAMESPACE: the name of the namespace where workloads run

Applying credentials to your Pods

This section is for developers.

This section assumes that you have deployed the workload identity webhook. If you haven't deployed the webhook, skip to Applying credentials without the webhook.

Apply credentials with the webhook

This section describes how to configure your Pods to read credentials made available by the webhook.

Add the service account to the Pod

To use workload identity with a workload, add the Kubernetes service account to the following fields:

• For a Deployment: spec.template.spec.serviceAccountName
• For a Pod: spec.serviceAccount

The following Pod manifest launches a base CentOS image and contains the spec.serviceAccount field.

apiVersion: v1 kind: Pod metadata:  name: sample-centos-pod  namespace: WORKLOAD_IDENTITY_NAMESPACE spec:  containers:  - command:  - /bin/bash  - -ec  - while :; do echo '.'; sleep 500 ; done  image: amazon/aws-cli  name: centos  serviceAccount: KUBERNETES_SERVICE_ACCOUNT 

Replace the following:

• WORKLOAD_IDENTITY_NAMESPACE: the name of the namespace where workloads run
• KUBERNETES_SERVICE_ACCOUNT: the name of the Kubernetes service account you created previously

Check if Pods have the environment variables set

To check if Pods have the environment variables set, run the following command to get the Pod's information:

kubectl get pod --namespace WORKLOAD_IDENTITY_NAMESPACE POD_NAME -o yaml 

Replace the following:

• WORKLOAD_IDENTITY_NAMESPACE: the name of the namespace where workloads run
• POD_NAME: the name of the Pod to check

The output contains the environment variable values in spec.containers.command.env and the mount point for the AWS IAM token. An example Pod manifest follows.

apiVersion: v1 kind: Pod metadata: ... spec: containers: - command: - /bin/bash - -ec - while :; do echo '.'; sleep 500 ; done env: - name: AWS_ROLE_ARN value: arn:aws:iam::1234567890:role/my-example-workload-role-1 - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token image: amazon/aws-cli imagePullPolicy: IfNotPresent name: centos resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: my-k8s-serviceaccount-token-d4nz4 readOnly: true - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount name: aws-iam-token readOnly: true serviceAccount: my-k8s-serviceaccount serviceAccountName: my-k8s-serviceaccount volumes: - name: aws-iam-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: sts.amazonaws.com expirationSeconds: 86400 path: token - name: my-k8s-serviceaccount-token-d4nz4 secret: defaultMode: 420 secretName: my-k8s-serviceaccount-token-d4nz4 ... status: ... 

Apply credentials without the webhook

If you do not deploy the workload identity webhook, you need to do the following:

• Check if the following environment variables are set:

  • AWS_ROLE_ARN: the Amazon Resource Name (ARN) of the IAM role
  • AWS_WEB_IDENTITY_TOKEN_FILE: the path where the token is stored

• Create a mount point for the IAM token (aws-iam-token) and the service account associated with the AWS IAM role

Create a Pod with credentials for workload identity

To create a Pod that includes the necessary credentials for workload identity, perform the following steps:

1. Copy the following Pod manifest into a file named sample-pod-no-webhook.yaml. The configuration launches a base CentOS image with the necessary credentials.

   apiVersion: v1 kind: Pod metadata:  name: sample-centos-pod-no-webhook  namespace: WORKLOAD_IDENTITY_NAMESPACE spec:  containers:  - command:  - /bin/bash  - -ec  - while :; do echo '.'; sleep 500 ; done  image: centos:7  name: centos  env:  - name: AWS_ROLE_ARN  value: IAM_ROLE_ARN  - name: AWS_WEB_IDENTITY_TOKEN_FILE  value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token  volumeMounts:  - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount  name: aws-iam-token  readOnly: true  volumes:  - name: aws-iam-token  projected:  defaultMode: 420  sources:  - serviceAccountToken:  audience: sts.amazonaws.com  expirationSeconds: 86400  path: token  serviceAccount: KUBERNETES_SERVICE_ACCOUNT 

   Replace the following:

   • WORKLOAD_IDENTITY_NAMESPACE: the name of the namespace where workloads run.
   • IAM_ROLE_ARN: the ARN of the IAM role granted to the Pod. For example, arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess.
   • KUBERNETES_SERVICE_ACCOUNT: the name of the Kubernetes service account you created previously.

2. Apply the Pod manifest to your cluster by using kubectl:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl apply -f sample-pod-no-webhook.yaml 

Check if Pods can access AWS resources

The following procedure describes how to check whether the Pod has received the credentials necessary for workload identity to function.

To complete the steps, you need to have the following:

• bash shell access to the container; most production images don't have a shell available. The following example shows you how to use the Pod specified in the preceding section to access AWS S3.

• Your Pod needs to have outbound access to the internet to download the AWS command-line interface.

To check if the Pod can access an S3 bucket, perform the following steps:

1. Use kubectl exec to launch an interactive bash shell on the Pod sample-centos-pod-no-webhook:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl exec -it --namespace ${WORKLOAD_NAMESPACE} sample-centos-pod-no-webhook -- bash 

   Your terminal opens the bash shell on the Pod.

2. Check the AWS IAM permissions and credentials by using the aws tool:

   aws sts assume-role-with-web-identity \  --role-arn ${AWS_ROLE_ARN} \  --role-session-name mh9test \  --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token \  --duration-seconds 1000 

   The aws tool prints credentials information similar to the following:

   {  "AssumedRoleUser": {  "AssumedRoleId": "AROAR2ZZZLEXVSDCDJ37N:mh9test",  "Arn": "arn:aws:sts::126285863215:assumed-role/my-example-workload-role-1/mh9test"  },  "Audience": "sts.amazonaws.com",  "Provider": "arn:aws:iam::126285863215:oidc-provider/storage.googleapis.com/gke-issuer-cec6c353",  "SubjectFromWebIdentityToken": "system:serviceaccount:default:my-s3-reader-ksa",  "Credentials": {  "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",  "SessionToken": "MY_TOKEN",  "Expiration": "2020-08-14T22:46:36Z",  "AccessKeyId": "AKIAIOSFODNN7EXAMPLE"  } } 

   If you see the following message, check that the bucket is publicly accessible: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

Upgrading the webhook

If you created a Kubernetes 1.18 or lower cluster with workload identity enabled and the workload identity webhook version release-0.2.2-gke.0, you must upgrade the webhook before upgrading to Kubernetes 1.19.

To upgrade the webhook, perform the following steps:

1. Confirm the webhook is installed by running the following commands:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl get MutatingWebhookConfiguration 

   If your cluster has the webhook deployed, the output includes the following:

   NAME WEBHOOKS AGE pod-identity-webhook 1 11m 

   If the webhook is not deployed on your cluster, you can skip the following steps.

2. If you saved the aws-webhook.yaml file, you can delete the manifest. If you don't have this file available, you can delete the webhook's components manually. Choose from file or components below.

   File

   If you still have the aws-webhook.yaml file, run the following command to delete the webhook:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl delete -f aws-webhook.yaml 

   Components

   To delete the webhook's components manually, run the following commands:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl delete namespace WEBHOOK_NAMESPACE env HTTPS_PROXY=http://localhost:8118 \  kubectl delete clusterrole pod-identity-webhook env HTTPS_PROXY=http://localhost:8118 \  kubectl delete clusterrolebinding pod-identity-webhook env HTTPS_PROXY=http://localhost:8118 \  kubectl delete mutatingwebhookconfiguration pod-identity-webhook 

   Replace WEBHOOK_NAMESPACE with the namespace where you installed the workload identity webhook. For example— workload-identity-webhook.

3. Check if you have any remaining certificate signing requests (CSRs) by run the following command:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl get csr |grep pod-identity-webhook 

   If the output is blank, skip to the next step. If there are any remaining CSRs, the kubectl command will list existing CSRs. To remove the CSRs, run the following command:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl delete csr $(kubectl get csr -o \  jsonpath="{.items[?(@.spec.username==\"system:serviceaccount:WEBHOOK_NAMESPACE:pod-identity-webhook\")].metadata.name}") 

   Replace WEBHOOK_NAMESPACE with the namespace where you installed the workload identity webhook. For example— workload-identity-webhook.

4. Follow the steps in Create the webhook to deploy the new webhook version.

   After you deploy the new webhook version, you need to restart the Pods that use the webhook. You can restart your Pods by Upgrading a user cluster.

Cleaning up

This section shows you how to remove resources that you created earlier in this document.

Clean up the service account and its associated IAM role

To delete the service account and its associated IAM role, perform the following steps:

1. Clean up the service account:

   env HTTPS_PROXY=http://localhost:8118 \  kubectl delete sa KUBERNETES_SERVICE_ACCOUNT --namespace WORKLOAD_IDENTITY_NAMESPACE 

   Replace the following:

   • KUBERNETES_SERVICE_ACCOUNT: the name of the new Kubernetes service account
   • WORKLOAD_IDENTITY_NAMESPACE: the name of the namespace where workloads run

2. Clean up the AWS IAM role. Choose from one of the following:

   • Delete the AWS IAM role with the AWS console.

   • Delete the role with the AWS command-line tool using the following commands:

     aws iam detach-role-policy \  --role-name=${AWS_ROLE_NAME} \  --policy-arn=${AWS_POLICY} aws iam delete-role --role-name=${AWS_ROLE_NAME} 

Delete your user cluster

To delete your user cluster, perform the steps in Uninstalling GKE on AWS.

Clean up the AWS OIDC provider

After the user cluster is deleted, unregister and delete the OIDC provider on AWS by using either the following bash shell command or the AWS console.

1. From your anthos-aws directory, use anthos-gke to switch context to your management service.

   cd anthos-aws anthos-gke aws management get-credentials

2. Delete the role with the AWS command-line tool with the following commands:

   CLUSTER_ID=$(env HTTPS_PROXY=http://localhost:8118 \  kubectl get awscluster ${CLUSTER_NAME} -o jsonpath='{.status.clusterID}') PROVIDER_ARN=$(aws iam list-open-id-connect-providers \ | jq '.OpenIDConnectProviderList' \ | jq ".[] | select(.Arn | contains(\"${CLUSTER_ID}\"))" \ | jq '.Arn' | tr -d '"') aws iam delete-open-id-connect-provider \  --open-id-connect-provider-arn=${PROVIDER_ARN} 

   You receive confirmation that the AWS OIDC provider is deleted.

What's next

• Learn about AWS IAM Roles for Service Accounts (IRSA), which GKE on AWS uses for workload identity.
• Learn about Using workload identity with Google Cloud.