We have a couple of managed AWS EKS clusters. In this kind of setup we can assign roles to the containers running in kubernetes. As such, a container can assume a role and can practically be given the privileges needed by the special agent for AWS.
We cannot use a user because our policy requires all users to have MFA.
I actually tested this and it works. The setup described very shortly is like this:
- role (not user) in IAM with the policies attached
- the EKS worker nodes have “assume sts” privilege on the IAM role
- kube2iam container in EKS is responsible to assume the role for the check-mk container
- check-mk container has an annotation with the IAM role it needs to run the AWS commands
I’ve installed awscli in the container and setup the region (export AWS_DEFAULT_REGION=us-east-1). After this I was able to list all EC2 instances without providing the AWS_ACCESS_KEY_ID or the AWS_SECRET_ACCESS_KEY.
Is there a way to setup the rule for the agent without setting the key ID or the secret access key?