AWS Agent on EKS Hosted Container Can Run without Credentials


We have a couple of managed AWS EKS clusters. In this kind of setup we can assign roles to the containers running in kubernetes. As such, a container can assume a role and can practically be given the privileges needed by the special agent for AWS.

We cannot use a user because our policy requires all users to have MFA.

I actually tested this and it works. The setup described very shortly is like this:

  • role (not user) in IAM with the policies attached
  • the EKS worker nodes have “assume sts” privilege on the IAM role
  • kube2iam container in EKS is responsible to assume the role for the check-mk container
  • check-mk container has an annotation with the IAM role it needs to run the AWS commands

I’ve installed awscli in the container and setup the region (export AWS_DEFAULT_REGION=us-east-1). After this I was able to list all EC2 instances without providing the AWS_ACCESS_KEY_ID or the AWS_SECRET_ACCESS_KEY.

Is there a way to setup the rule for the agent without setting the key ID or the secret access key?

Thank you!

In case someone else is bumping into this; looking into the code in the master branch on github I reckon this is on the roadmap. No idea when it will be available though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.