You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by Rafi Aroch <ra...@gmail.com> on 2020/02/11 15:10:21 UTC

Add support for IAM Roles for Service Accounts in AWS EKS (Web Identity)

Hi,

IAM Roles for Service Accounts have many advantages when deploying Flink on
AWS EKS.

From AWS documentation:

*With IAM roles for service accounts on Amazon EKS clusters, you can
> associate an IAM role with a Kubernetes service account. This service
> account can then provide AWS permissions to the containers in any pod that
> uses that service account. With this feature, you no longer need to provide
> extended permissions to the worker node IAM role so that pods on that node
> can call AWS APIs.*


As Kubernetes becomes the popular deployment method, I believe we should
support this capability.

In order for IAM Roles for Service Accounts to work, I see two necessary
changes:

   - Bump the AWS SDK version to at least:  1.11.623.
   - Add dependency to AWS STS in order for the assume-role to work.

This is relevant for S3 Filesystem & Kinesis modules.

There is already an issue open:
https://issues.apache.org/jira/browse/FLINK-14881

Can I go ahead and create a pull request to add this?

Thanks,
Rafi

Re: Add support for IAM Roles for Service Accounts in AWS EKS (Web Identity)

Posted by Stephan Ewen <se...@apache.org>.

This sounds like a good addition.

Can you comment on the jira issue, to have the discussion in one place.
Unless anyone raises concerns, I can assign you the issue then and we could
proceed with a PR.

On Tue, Feb 11, 2020 at 4:10 PM Rafi Aroch <ra...@gmail.com> wrote:

> Hi,
>
> IAM Roles for Service Accounts have many advantages when deploying Flink on
> AWS EKS.
>
> From AWS documentation:
>
> *With IAM roles for service accounts on Amazon EKS clusters, you can
> > associate an IAM role with a Kubernetes service account. This service
> > account can then provide AWS permissions to the containers in any pod
> that
> > uses that service account. With this feature, you no longer need to
> provide
> > extended permissions to the worker node IAM role so that pods on that
> node
> > can call AWS APIs.*
>
>
> As Kubernetes becomes the popular deployment method, I believe we should
> support this capability.
>
> In order for IAM Roles for Service Accounts to work, I see two necessary
> changes:
>
>    - Bump the AWS SDK version to at least:  1.11.623.
>    - Add dependency to AWS STS in order for the assume-role to work.
>
> This is relevant for S3 Filesystem & Kinesis modules.
>
> There is already an issue open:
> https://issues.apache.org/jira/browse/FLINK-14881
>
> Can I go ahead and create a pull request to add this?
>
> Thanks,
> Rafi
>