IAM Roles for Kaniko Service Accounts
The information below is relevant in case ECR is used as Docker container registry. Make sure that IRSA is enabled and amazon-eks-pod-identity-webhook is deployed according to the Associate IAM Roles With Service Accounts documentation.
Alternatively, the Kaniko IAM Role can also be created automatically during the cluster installation process. For more details, refer to the Deploy AWS EKS Cluster page.
The build-image-kaniko stage, used in Tekton build pipelines, manages ECR through IRSA that should be available on the cluster. Follow the steps below to create a required role:
-
Create AWS IAM Policy
AWSIRSA_<CLUSTER_NAME>_Kaniko_policy:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/*"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/*"
}
]
} -
Create AWS IAM Role
AWSIRSA_<CLUSTER_NAME>_Kanikowith trust relationships:noteOIDC_PROVIDERvalue can be found in the AWS Management Console under the Elastic Kubernetes Service (EKS) service. Select the appropriate cluster and navigate to the Overview tab to find theOpenID Connect provider URLvalue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:*"
}
}
}
]
} -
Attach the
AWSIRSA_<CLUSTER_NAME>_Kaniko_policypolicy to theAWSIRSA_<CLUSTER_NAME>_Kanikorole. -
Set the resulting Amazon Resource Name (ARN) of the role in the
edp-tekton.kaniko.roleArnfield within thevalues.yamlfile during the KubeRocketCI installation.