Verifying DynamoDB Access
Now, with the carts Service Account associated with the authorized IAM role, the carts Pod has permission to access the DynamoDB table. Access the web store again and navigate to the shopping cart.
~$LB_HOSTNAME=$(kubectl -n ui get service ui-nlb -o jsonpath='{.status.loadBalancer.ingress[*].hostname}{"\n"}')
~$echo "http://$LB_HOSTNAME"
http://k8s-ui-uinlb-647e781087-6717c5049aa96bd9.elb.us-west-2.amazonaws.com
The carts Pod is able to reach the DynamoDB service and the shopping cart is now accessible!
After the AWS IAM role is associated with the Service Account, any newly created Pods using that Service Account will be intercepted by the EKS Pod Identity webhook. This webhook runs on the Amazon EKS cluster’s control plane, and is fully managed by AWS. Take a closer look at the new carts Pod to see the new environment variables.
~$kubectl -n carts exec deployment/carts -- env | grep AWS
AWS_STS_REGIONAL_ENDPOINTS=regional
AWS_DEFAULT_REGION=us-west-2
AWS_REGION=us-west-2
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://169.254.170.23/v1/credentials
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE=/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
Things that are worth noting are:
AWS_DEFAULT_REGIONThe region is set automatically to the same as our EKS clusterAWS_STS_REGIONAL_ENDPOINTSregional STS endpoints are configured to avoid putting too much pressure on the global endpoint inus-east-1AWS_CONTAINER_CREDENTIALS_FULL_URIvariable tells AWS SDKs how to obtains credentials using HTTP credential provider. This means that EKS Pod Identity does not need to inject credentials via something like anAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYpair, and instead the SDKs can have temporary credentials vending to them via EKS Pod Identity mechanism. You can read more about how this functions in the AWS documentation.
You have successfully configured Pod Identity in your Application!!!