0x00 TLNR;

在 AWS EKS 中，通過 Service Account（SA） 來代替使用 Access Key（AK）和 Secret Key（SK）是通過整合 IAM Roles for Service Accounts (IRSA) 來實現(xiàn)的恢总。這種方式允許 EKS Pod 使用關(guān)聯(lián)的 IAM Role 來訪問 AWS 資源肄鸽，而無需在代碼中硬編碼 AK/SK瘪弓，從而提高安全性。

0x01 啟用 IAM OIDC

通過EKS外部的OIDC 來綁定 sa 和　iam中的權(quán)限蒿赢〉佣剩　先確認下是否起用：

aws eks describe-cluster --name <your-cluster-name> --query "cluster.identity.oidc.issuer" --output text

沒有輸出的話颁督，啟用：

eksctl utils associate-iam-oidc-provider --cluster <your-cluster-name> --approve

0x02 創(chuàng)建S3桶的策略

1践啄、編寫S3 Policy文件

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket-name"
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket-name/*"
        }
    ]
}

2、創(chuàng)建policy

aws iam create-policy --policy-name MyS3AccessPolicy --policy-document file://my-policy.json

正常時反饋：

{
    "Policy": {
        "PolicyName": "MyS3AccessPolicy",
        "PolicyId": "ANP****ULM",
        "Arn": "arn:aws:iam::{you_account_id}:policy/MyS3AccessPolicy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2024-11-28T00:49:43Z",
        "UpdateDate": "2024-11-28T00:49:43Z"
    }
}

0x03 創(chuàng)建IAM Role 并綁定

1沉御、獲取OIDC的ARN,返回一個域名URL

aws eks describe-cluster --name <your-cluster-name> --query "cluster.identity.oidc.issuer" --output text

2屿讽、編寫信任關(guān)系文件

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-provider-url>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<oidc-provider-url>:sub": "system:serviceaccount:<namespace>:<service-account-name>"
                }
            }
        }
    ]
}

3、創(chuàng)建Role, 并綁定

aws iam create-role --role-name MyEKSRole --assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy --role-name MyEKSRole --policy-arn arn:aws:iam::<account-id>:policy/MyS3AccessPolicy

0x04 創(chuàng)建 K8s SA并綁定IAM Role

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/MyEKSRole

提交:
kubectl apply -f sa.yaml

0x05 部署一個應(yīng)用吠裆，使用創(chuàng)建的SA

apiVersion: v1
kind: Pod
metadata:
  name: awscli
  labels:
    app: awscli
spec:
  serviceAccountName: {sa-name}
  containers:
    - image: amazon/aws-cli
      command:
        - "sleep"
        - "604800"
      imagePullPolicy: IfNotPresent
      name: awscli
  restartPolicy: Always

0x06 驗證

# 確認env配置
kubectl exec -n YOUR_NAMESPACE awscli -- env | grep AWS

#　獲取 sts
kubectl exec -it awscli -n YOUR_NAMESPACE -- aws sts get-caller-identity

0x07 Spring Java 依賴

   <dependencies>
    <!-- IRSA基礎(chǔ)依賴   -->
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>auth</artifactId>
    </dependency>
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>sdk-core</artifactId>
    </dependency>
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>sts</artifactId>
    </dependency>

    <!-- 業(yè)務(wù)依賴  -->
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>s3</artifactId>
    </dependency>
  </dependencies>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>bom</artifactId>
        <version>2.29.23</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

0x08 Java代碼示例

    @GetMapping("/get/{objectKey}")
    public String demo(@PathVariable("objectKey") String objectKey) {
        final S3Client s3client = S3Client.create();

        GetObjectRequest getObjectRequest = GetObjectRequest.builder()
                .bucket("my-bucket")
                .key(objectKey)
                .build();

        final ResponseBytes<GetObjectResponse> bytes = s3client.getObjectAsBytes(getObjectRequest);
        String objectContent = bytes.asUtf8String();

        log.info("received: {}", objectKey);
        return objectContent;
    }

0x09 參考：

• JavaSDK:
  https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

• 如何確認 pod 綁定了正確的 sa, 在pod內(nèi)部執(zhí)行：

curl http://169.254.169.254/latest/meta-data/iam/info

參考: https://repost.aws/knowledge-center/eks-pods-iam-role-service-accounts