chore(eks): expand pod identity example

2026-02-09 05:44:23 +00:00 · 2025-06-06 22:38:22 +02:00
parent 13f7828df2
commit 9b1e2da910
1 changed files with 54 additions and 3 deletions
--- a/computing/aws/eks.md
+++ b/computing/aws/eks.md
@@ -1049,11 +1049,15 @@ Requirements:

 - An existing EKS cluster (_duh!_).
 - An existing IAM [OIDC provider][oidc providers] for the cluster.<br/>
-  Alternatively, [Pod Identity] must be installed in the cluster and the role in the next step must be configured to
-  use it.
+  Alternatively, one can use [Pod Identity] as long as (**_and_**)
+
+  - The add-on is installed in the cluster.
+  - The role in the next step is correctly configured for it.
+  - A Pod Identity Association is correctly configured for the Kubernetes service account.
+
 - A dedicated IAM role for the load balancer controller.

-  <details style="margin-bottom: 1em">
+  <details style="margin: 0 0 0 1rem">
    <summary>Pulumi (OIDC)</summary>

  ```ts
@@ -1092,6 +1096,53 @@ Requirements:

   </details>

+  <details style="margin: 0 0 1rem 1rem">
+    <summary>Pulumi (Pod Identity)</summary>
+
+  ```ts
+  const loadBalancerController_serviceRole = new aws.iam.Role(
+      "loadBalancerControllerRole",
+      {
+          name: "EKSLoadBalancerControllerRole",
+          description: "Allows EKS' load balancer controller component to control ELBs on behalf of the user",
+
+          assumeRolePolicy: JSON.stringify({
+              Version: "2012-10-17",
+              Statement: [{
+                  Effect: "Allow",
+                  Principal: {
+                      Service: "pods.eks.amazonaws.com",
+                  },
+                  Action: [
+                      "sts:AssumeRole",
+                      "sts:TagSession",
+                  ],
+              }],
+          }),
+      },
+  );
+  new aws.iam.RolePolicy(
+      "loadBalancerControllerRole-allowRoleFunctions",
+      {
+          role: loadBalancerController_serviceRole,
+          name: "AllowRoleFunctions",
+          policy: fs.readFileSync("./elb-controller.policy.json", "utf8"),
+      },
+  );
+
+  new aws.eks.PodIdentityAssociation(
+      "loadBalancerControllerRole-to-k8s-aws-load-balancer-controller",
+      {
+          clusterName: cluster.name,
+          roleArn: loadBalancerController_serviceRole.arn,
+          serviceAccount: "aws-load-balancer-controller",
+          namespace: "kube-system",
+      },
+  );
+  ```
+
+   </details>
+
 - Subnets **must** be configured _properly_.<br/>
  Refer [Route application and HTTP traffic with Application Load Balancers].