How do I integrate an API Gateway using Pulumi with EKS?
TypeScriptTo integrate an API Gateway with an EKS cluster, you'll need to set up an AWS API Gateway integration and an IAM Role for EKS.
The AWS API Gateway
aws.apigateway.RestApi
allows you to create, deploy, and manage a RESTful API to expose your backend HTTP endpoints, AWS Lambda functions, or other AWS services.The AWS IAM Role
aws-iam.EKSRole
is used to permit EKS to call other AWS services on your behalf.Here's how you could perform this integration:
import * as aws from "@pulumi/aws"; import * as awsx from "@pulumi/awsx"; import * as eks from "@pulumi/eks"; // Create a new EKS cluster. const cluster = new eks.Cluster("my-cluster", { desiredCapacity: 2, minSize: 1, maxSize: 2, storageClasses: "gp2", deployDashboard: false, }); // Create a role that EKS can assume. const eksRole = new aws.iam.Role("eksIamRole", { assumeRolePolicy: aws.getCallerIdentity().then(id => JSON.stringify({ Version: "2008-10-17", Statement: [ { Action: "sts:AssumeRole", Principal: { AWS: `arn:aws:iam::${id.accountId}:root`, }, Effect: "Allow", Sid: "", }, ], })), }); // Attach the AmazonEKSClusterPolicy to the role. const eksRolePolicyAttachment = new aws.iam.RolePolicyAttachment("eksRolePolicyAttachment", { role: eksRole, policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", }); // Create a new REST API let api = new aws.apigateway.RestApi("api", { description: "My API for EKS", }); // For simplicity, we simply proxy all routes straight through to the target. let integration = new aws.apigateway.Integration("api-integration", { restApi: api, type: "AWS_PROXY", uri: cluster.cluster.endpoint, // You should set it to eksRole.arn, // but as of now, you can't attach the execution role to the EKS. // So assumedRoleArn is kept empty. }); let method = new aws.apigateway.Method("api-method", { restApi: api, resourceId: api.rootResourceId, httpMethod: "ANY", authorization: "NONE", apiKeyRequired: false, integration: { type: "AWS_PROXY", uri: integration.uri, httpMethod: "POST", credentials: "", //you should set it to eksRole.arn }, }); // Export the cluster's kubeconfig. export const kubeconfig = cluster.kubeconfig;
In this example, the EKS cluster is created using the
pulumi/eks
package. Also, note that the code above creates the integration withaws_proxy
type for simply forwarding all HTTP requests to the EKS cluster. If you want to define specific endpoints inside the gateway, you'll need to create separate integrations and methods.API Gateway Integration Documentation EKS Role Documentation
Security is important, please make sure to review the IAM roles and policies to ensure they adhere to the practice of least privilege.
Note: As of now, Amazon EKS does not directly support assuming an IAM role for its service account, thus you cannot set the
credentials
property of theIntegration
type with the EKS IAM role ARN directly. AWS recommends deploying a proxy layer like kube2iam for this use case.