IAM Roles for Velero Kubernetes Service Accounts
Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.
Velero AWS plugin requires access to AWS resources. Follow the steps below to create a required role:
-
Create AWS IAM Policy
AWSIRSA<CLUSTER_NAME><VELERO_NAMESPACE>Velero_policy
:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::velero-*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::velero-*"
]
}
]
} -
Create AWS IAM Role
AWSIRSA<CLUSTER_NAME><VELERO_NAMESPACE>Velero
with trust relationships:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:<VELERO_NAMESPACE>:edp-velero"
}
}
}
]
} -
Attach the
AWSIRSA<CLUSTER_NAME><VELERO_NAMESPACE>Velero_policy
policy to theAWSIRSA<CLUSTER_NAME><VELERO_NAMESPACE>Velero
role. -
Make sure that Amazon S3 bucket with name
velero-<CLUSTER_NAME>
exists. -
Provide key value eks.amazonaws.com/role-arn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AWSIRSA‹CLUSTER_NAME›‹VELERO_NAMESPACE›Velero" into the serviceAccount.server.annotations parameter in values.yaml during the Velero Installation.