Now that we have completed all the necessary configuration, we will run two kubernetes jobs with the newly created IAM role:
aws s3 ls (this job should be successful).aws ec2 describe-instances --region ${AWS_REGION} (this job should failed).Let’s start by testing if the service account can list the S3 buckets
mkdir ~/environment/irsa
cat <<EoF> ~/environment/irsa/job-s3.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: eks-iam-test-s3
spec:
template:
metadata:
labels:
app: eks-iam-test-s3
spec:
serviceAccountName: iam-test
containers:
- name: eks-iam-test
image: amazon/aws-cli:latest
args: ["s3", "ls"]
restartPolicy: Never
EoF
kubectl apply -f ~/environment/irsa/job-s3.yaml
Make sure your job is completed
kubectl get job -l app=eks-iam-test-s3
Let’s check the logs to verify that the command ran successfully.
kubectl logs -l app=eks-iam-test-s3
Output example
Now Let’s confirm that the service account cannot list the EC2 instances
cat <<EoF> ~/environment/irsa/job-ec2.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: eks-iam-test-ec2
spec:
template:
metadata:
labels:
app: eks-iam-test-ec2
spec:
serviceAccountName: iam-test
containers:
- name: eks-iam-test
image: amazon/aws-cli:latest
args: ["ec2", "describe-instances", "--region", "${AWS_REGION}"]
restartPolicy: Never
backoffLimit: 0
EoF
kubectl apply -f ~/environment/irsa/job-ec2.yaml
Let’s verify the job status
kubectl get job -l app=eks-iam-test-ec2
It is normal that the job didn’t complete succesfuly.
Finally we will review the logs
kubectl logs -l app=eks-iam-test-ec2
Output