How Do I Add an IAM Role to the EBS CSI Driver as an Addon?

Introduction

In this guide, we will walk you through the process of adding an IAM role to the EBS CSI Driver in AWS EKS. This setup is crucial for enabling the EBS CSI Driver to interact with AWS services securely and efficiently. By configuring an IAM role with the necessary permissions, you ensure that the driver can manage Amazon EBS volumes as persistent storage within your Kubernetes clusters.

Step-by-Step Explanation

Here’s how you can set up the IAM role for the EBS CSI Driver:

1. Define the AWS Provider: Set up the AWS provider and configure the desired region for your resources.

2. Create an IAM Role:

   • Define an IAM role named ebs_csi_driver_role.
   • Establish a trust relationship allowing EKS to assume this role by specifying the necessary assumeRolePolicy.

3. Create an IAM Policy:

   • Define an IAM policy named ebs_csi_driver_policy.
   • Include permissions required by the EBS CSI Driver to manage EBS volumes, such as creating, attaching, detaching, and deleting volumes.

4. Attach the Policy to the Role:

   • Link the created policy to the IAM role using a role policy attachment.

5. Configure the EKS Addon:

   • Set up the EKS Addon for the EBS CSI Driver.
   • Associate the addon with the IAM role by specifying the serviceAccountRoleArn.

Here’s the program to set this up:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const ebsCsiDriverRole = new aws.iam.Role("ebs_csi_driver_role", {
    name: "AmazonEKS_EBS_CSI_DriverRole",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "eks.amazonaws.com",
            },
            Action: "sts:AssumeRole",
        }],
    }),
});
const ebsCsiDriverPolicy = new aws.iam.Policy("ebs_csi_driver_policy", {
    name: "AmazonEKS_EBS_CSI_DriverPolicy",
    description: "Policy for EBS CSI Driver to interact with EBS",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "ec2:CreateSnapshot",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume",
                "ec2:CreateTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeTags",
            ],
            Resource: "*",
        }],
    }),
});
const ebsCsiDriverAttach = new aws.iam.RolePolicyAttachment("ebs_csi_driver_attach", {
    policyArn: ebsCsiDriverPolicy.arn,
    role: ebsCsiDriverRole.name,
});
const ebsCsiDriver = new aws.eks.Addon("ebs_csi_driver", {
    clusterName: "your-eks-cluster",
    addonName: "aws-ebs-csi-driver",
    serviceAccountRoleArn: ebsCsiDriverRole.arn,
});
export const roleArn = ebsCsiDriverRole.arn;
export const policyArn = ebsCsiDriverPolicy.arn;

Key Points

• IAM Role: Essential for granting EKS the ability to assume necessary permissions.
• IAM Policy: Grants the EBS CSI Driver permissions to manage EBS volumes.
• EKS Addon Configuration: Integrates the IAM role with the EBS CSI Driver for seamless operation.

Conclusion

By following these steps, you have successfully configured an IAM role for the EBS CSI Driver in your AWS EKS cluster. This setup ensures that your EBS CSI Driver has the necessary permissions to manage EBS volumes effectively. Moving forward, ensure to monitor and audit the permissions and roles to maintain a secure and efficient environment.