How do I set up EKS pods with SQS reader role?
To set up EKS pods with an SQS reader role, you’ll need to create an EKS cluster, an IAM role with the necessary permissions to read from SQS, and associate this role with your EKS pods. Here’s a detailed guide on how to achieve this using Pulumi in TypeScript.
Steps to Achieve This:
- Create an EKS Cluster: This sets up the Kubernetes cluster on AWS.
- Create an IAM Role for the EKS Service Account: This IAM role will have the necessary permissions to read from SQS.
- Associate the IAM Role with the EKS Service Account: This allows pods using this service account to assume the IAM role and gain the permissions.
Detailed Explanation:
- Creating the EKS Cluster: We will use the
eks.Cluster
resource from the Pulumi EKS package to create the cluster. - Creating the IAM Role: We will create an IAM role with a policy that allows reading from SQS.
- Associating the IAM Role with the EKS Service Account: Using the
aws.eks.PodIdentityAssociation
resource, we associate the IAM role with a Kubernetes service account.
Pulumi Program
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";
import * as k8s from "@pulumi/kubernetes";
async function createCluster() {
// Create an EKS cluster
const cluster = new eks.Cluster("my-cluster", {
version: "1.21",
instanceType: "t3.medium",
desiredCapacity: 2,
minSize: 2,
maxSize: 3,
vpcId: aws.ec2.getVpc({ default: true }).then(vpc => vpc.id),
publicSubnetIds: aws.ec2.getSubnets({ filters: [{ name: "vpc-id", values: [await aws.ec2.getVpc({ default: true }).then(vpc => vpc.id)] }] }).then(subnets => subnets.ids),
});
// Create an IAM role for the EKS Service Account
const sqsPolicy = new aws.iam.Policy("sqs-policy", {
policy: pulumi.output({
Version: "2012-10-17",
Statement: [{
Action: "sqs:ReceiveMessage",
Resource: "*",
Effect: "Allow",
}],
}).apply(JSON.stringify),
});
const sqsRole = new aws.iam.Role("sqs-role", {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
Service: "eks.amazonaws.com",
}),
});
new aws.iam.RolePolicyAttachment("sqs-role-attachment", {
role: sqsRole.name,
policyArn: sqsPolicy.arn,
});
// Create a Kubernetes namespace
const namespace = new k8s.core.v1.Namespace("my-namespace", {
metadata: {
name: "my-namespace",
},
}, { provider: cluster.provider });
// Create a Kubernetes Service Account and associate it with the IAM Role
const serviceAccount = new k8s.core.v1.ServiceAccount("sqs-reader-sa", {
metadata: {
namespace: namespace.metadata.name,
annotations: {
"eks.amazonaws.com/role-arn": sqsRole.arn,
},
},
}, { provider: cluster.provider });
return cluster;
}
createCluster();
Explanation of the Code:
- EKS Cluster Creation:
- The
eks.Cluster
resource creates an EKS cluster with the specified version and instance type. - We use the default VPC and public subnets for simplicity.
- The
- IAM Role and Policy:
- An IAM policy (
sqsPolicy
) is created to allowsqs:ReceiveMessage
actions. - An IAM role (
sqsRole
) is created with a trust relationship that allows EKS to assume the role. - The policy is attached to the IAM role.
- An IAM policy (
- Kubernetes Namespace and Service Account:
- A Kubernetes namespace is created to organize resources.
- A Kubernetes service account (
serviceAccount
) is created in the namespace and annotated with the IAM role ARN, allowing pods using this service account to assume the IAM role and read from SQS.
This setup ensures that any pod using the sqs-reader-sa
service account in the my-namespace
namespace will have the permissions to read messages from SQS.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.