[twalla]

https://github.com/jtblin/kube2iam is probably what you're looking for, it uses iptables to allow/disallow pods requests to the ec2 metadata service based on kubernetes annotations

in fact, if you check out the source (located here: https://github.com/awslabs/aws-service-operator) it's recommended to use kube2iam

edit: haven't fully read the article yet but if the operator supports managing IAM roles thru a CRD you could potentially create the role and attach it via annotation in one go.

double edit: looks like IAM roles aren't directly supported yet, the following is what appears to be supported:

- cloudformation templates

- dynamodb

- s3

- sns subscriptions and topics

- sqs queues

- ecr repos

[christopherhein]

Correct, they are on the roadmap, I've been waffling on the implementation because this could open security issues. I'm happy to say we'll at least be able to use k8s RBAC to gate who can get, list, create, update and delete the Roles but your security posture from the node perspective still will need to gate what the pods could assume. https://github.com/awslabs/aws-service-operator/issues/58 https://github.com/awslabs/aws-service-operator/issues/59 are the issues if you'd like to add any extra notes or check out the potential implementation.

[bearforcenine]

I understand that both kube2iam and kiam exist and they're both fine. I am interested in Amazon/EKS directly supporting something. Hopefully we will see something soon via CRD or otherwise.

[Rapzid]

If I still need to create an IAM role externally for the pod granting it access to the different resources.. Might as well create the resources themselves as well?