1. Answers
  2. How to set up EKS pods with SQS reader role?

How do I set up EKS pods with SQS reader role?

To set up EKS pods with an SQS reader role, you’ll need to create an EKS cluster, an IAM role with the necessary permissions to read from SQS, and associate this role with your EKS pods. Here’s a detailed guide on how to achieve this using Pulumi in TypeScript.

Steps to Achieve This:

  1. Create an EKS Cluster: This sets up the Kubernetes cluster on AWS.
  2. Create an IAM Role for the EKS Service Account: This IAM role will have the necessary permissions to read from SQS.
  3. Associate the IAM Role with the EKS Service Account: This allows pods using this service account to assume the IAM role and gain the permissions.

Detailed Explanation:

  1. Creating the EKS Cluster: We will use the eks.Cluster resource from the Pulumi EKS package to create the cluster.
  2. Creating the IAM Role: We will create an IAM role with a policy that allows reading from SQS.
  3. Associating the IAM Role with the EKS Service Account: Using the aws.eks.PodIdentityAssociation resource, we associate the IAM role with a Kubernetes service account.

Pulumi Program

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";
import * as k8s from "@pulumi/kubernetes";

async function createCluster() {
    // Create an EKS cluster
    const cluster = new eks.Cluster("my-cluster", {
        version: "1.21",
        instanceType: "t3.medium",
        desiredCapacity: 2,
        minSize: 2,
        maxSize: 3,
        vpcId: aws.ec2.getVpc({ default: true }).then(vpc => vpc.id),
        publicSubnetIds: aws.ec2.getSubnets({ filters: [{ name: "vpc-id", values: [await aws.ec2.getVpc({ default: true }).then(vpc => vpc.id)] }] }).then(subnets => subnets.ids),
    });

    // Create an IAM role for the EKS Service Account
    const sqsPolicy = new aws.iam.Policy("sqs-policy", {
        policy: pulumi.output({
            Version: "2012-10-17",
            Statement: [{
                Action: "sqs:ReceiveMessage",
                Resource: "*",
                Effect: "Allow",
            }],
        }).apply(JSON.stringify),
    });

    const sqsRole = new aws.iam.Role("sqs-role", {
        assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
            Service: "eks.amazonaws.com",
        }),
    });

    new aws.iam.RolePolicyAttachment("sqs-role-attachment", {
        role: sqsRole.name,
        policyArn: sqsPolicy.arn,
    });

    // Create a Kubernetes namespace
    const namespace = new k8s.core.v1.Namespace("my-namespace", {
        metadata: {
            name: "my-namespace",
        },
    }, { provider: cluster.provider });

    // Create a Kubernetes Service Account and associate it with the IAM Role
    const serviceAccount = new k8s.core.v1.ServiceAccount("sqs-reader-sa", {
        metadata: {
            namespace: namespace.metadata.name,
            annotations: {
                "eks.amazonaws.com/role-arn": sqsRole.arn,
            },
        },
    }, { provider: cluster.provider });

    return cluster;
}

createCluster();

Explanation of the Code:

  1. EKS Cluster Creation:
    • The eks.Cluster resource creates an EKS cluster with the specified version and instance type.
    • We use the default VPC and public subnets for simplicity.
  2. IAM Role and Policy:
    • An IAM policy (sqsPolicy) is created to allow sqs:ReceiveMessage actions.
    • An IAM role (sqsRole) is created with a trust relationship that allows EKS to assume the role.
    • The policy is attached to the IAM role.
  3. Kubernetes Namespace and Service Account:
    • A Kubernetes namespace is created to organize resources.
    • A Kubernetes service account (serviceAccount) is created in the namespace and annotated with the IAM role ARN, allowing pods using this service account to assume the IAM role and read from SQS.

This setup ensures that any pod using the sqs-reader-sa service account in the my-namespace namespace will have the permissions to read messages from SQS.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up