Using IAM Roles with STS in ROSA Container App

Image by subak214 from Pixabay

Similar as way of using IAM roles in an EC2 instance, we can get the container application in ROSA the IAM roles to access the AWS resources.

In ROSA, The service account of the pod is issued by the OpenID Connect (OIDC) identity provider registered in AWS. We can then use this token to be authenticated by the AWS security token services (STS) and get the temporary IAM role access to the resource through the AssumeRoleWithWebIndentity API. This process is called as IAM Roles for Service Accounts (IRSA).

Let’s explore this feature in ROSA.

App to post to S3

We will create a toy application to post a file to a S3 bucket.

The STS credential is achieved by the following function.

func stsAWSConfig() (*session.Session, *aws.Config) {
 sess := session.Must(session.NewSession())
 config := aws.NewConfig().
  WithCredentialsChainVerboseErrors(true).
  WithCredentials(credentials.NewChainCredentials(
   []credentials.Provider{
    &credentials.EnvProvider{},
    &credentials.SharedCredentialsProvider{},
    stscreds.NewWebIdentityRoleProviderWithOptions(
     sts.New(sess),
     os.Getenv("AWS_ROLE_ARN"),
     "",
     stscreds.FetchTokenPath(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")),
    ),
   },
  ))
 return sess, config
}