IAM Roles for Kaniko Service Accounts
Alternatively, the Kaniko IAM Role can also be created automatically during the cluster installation process. For more details, refer to the Deploy AWS EKS Cluster page.
The build-image-kaniko stage, used in Tekton build pipelines, manages ECR through IRSA that should be available on the cluster. Follow the steps below to create a required role:
-
Create AWS IAM Policy
AWSIRSA_<CLUSTER_NAME>_Kaniko_policy:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/*"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<AWS_ACCOUNT_ID>:repository/*"
}
]
} -
Create AWS IAM Role
AWSIRSA_<CLUSTER_NAME>_Kanikowith trust relationships:noteOIDC_PROVIDERvalue can be found in the AWS Management Console under the Elastic Kubernetes Service (EKS) service. Select the appropriate cluster and navigate to the Overview tab to find theOpenID Connect provider URLvalue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:*"
}
}
}
]
} -
Attach the
AWSIRSA_<CLUSTER_NAME>_Kaniko_policypolicy to theAWSIRSA_<CLUSTER_NAME>_Kanikorole. -
Set the resulting Amazon Resource Name (ARN) of the role in the
edp-tekton.kaniko.roleArnfield within thevalues.yamlfile during the KubeRocketCI installation.