Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Integrating Istio with AWS IAM

Tags:

amazon-web-services

kubernetes

amazon-iam

istio

I'm currently exploring running an Istio / Kubernetes cluster on AWS using EKS. I would like to be able to assign a different IAM role to each service running in the cluster to limit the AWS privileges of each service.

In non-Istio Kubernetes clusters this facility is provided by projects such as kube2iam but this doesn't seem ideal in the Istio world as kube2iam relies on iptables rules and Istio is already using iptables rules to divert all outbound traffic to the Envoy sidecar.

The Istio security documentation says that identity model caters for different underlying implementations and on AWS that implementation is IAM:

In the Istio identity model, Istio uses the first-class service identity to determine the identity of a service. This gives great flexibility and granularity to represent a human user, an individual service, or a group of services. On platforms that do not have such identity available, Istio can use other identities that can group service instances, such as service names.

Istio service identities on different platforms:

Kubernetes: Kubernetes service account
GKE/GCE: may use GCP service account
GCP: GCP service account
AWS: AWS IAM user/role account

But I haven't come across any additional documentation about how to assign IAM roles to Istio ServiceRoles.

Has anyone found a solution to this?

UPDATE: See IRSA

like image 750
AEldridge Avatar asked Oct 10 '18 03:10

AEldridge

1 Answers

I'm also struggling with this and have found little help. I did have success with this persons suggestion https://groups.google.com/forum/m/#!topic/istio-users/3-fp2JPb2dQ

I was having no luck getting kube2iam working until I added that serviceentry (see below or follow link)

Basically you add this

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: apipa
spec:
  hosts:
  - 169.254.169.254
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
  location: MESH_EXTERNAL

From looking at the istio-proxy sidecar before applying the serviceentry you could lots of 404 errors in the log with paths all looking like aws api calls. After the service entry those turned to 200's.

UPDATE.... Later I found out that this is expected requirement when using istio for any external-mesh communication. See https://istio.io/docs/concepts/traffic-management/#service-entries

like image 107
A. Stappenbeck Avatar answered Oct 11 '22 09:10

A. Stappenbeck
Sign in to Comment

Related questions

Amazon EMR: running Custom Jar with input and output from S3
Why Amazon RDS memory monitor threshold shows me in RED?
AWS Redis + uWSGI behind NGINX - high load
How create a Redis ElastiCache cluster using AWS-CLI from snapshots in S3?
Why is AWS.Lambda.invoke `error` callback argument never populated?
Streaming-s3 is not uploading file to aws properly
A client error (InvalidCiphertextException) occurred when calling the Decrypt operation:
AWS cognito userpools JavaScript SDK get user's policy documents
Kinesis Lambda Consumer Minimum Batch Size
How to find out who uploaded data in S3 bucket
Is S3 Event Trigger Scalable?
API Gateway with SAM isn't updated correctly
AWS auth ui sdk requires minSdkVersion 23, why?
How can I force a cognito token refresh from the client
How to fix error: django.db.utils.NotSupportedError: URIs not supported
possible ways to store JSON in dynamodb
How to grant bucket-owner-full-control to a file unloaded from redshift in one account to an s3 bucket in another account?
AWS Kinesis - how to resume consuming from last checkpoint
AWS Cloud Formation; Breaking up template into several files and passing in variables with cfn-include
SdkClientException: Unable to execute HTTP request: Connection reset

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!