Skip to content

KOP EKS Clusters - Data Backup and Restore using IRSA

Users can associate an IAM role with a Kubernetes service account. The service account provides permissions to the containers in any pod using this specific service account. Without providing any extended permissions to the Amazon EKS node IAM role, pods on the node can call APIs

Benefits of IAM roles for Service Accounts

  • Users can scope IAM permissions to a service account, and the pods using that specific service account have access to those permissions
  • A container can only retrieve credentials for the IAM role associated with the service account to which it belongs. A container never has access to credentials intended for another container, belonging to another pod
  • Access and event logging is available through CloudTrail to ensure retrospective auditing

Data Backup and Restore using IRSA

To complete the Data Backup and Restore using the IRSA process, perform the following steps:

Step 1: Create a Bucket

  • Login to AWS Portal and open the Buckets page
  • Click Create bucket

Create Bucket Button

  • Enter the Bucket name and select AWS Region
  • Click Create bucket

Create Bucket

Step 2: Create a Policy

  • Open the Policies page and click Create Policy
  • Enter the below policy code with the appropriate bucket name
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>"
            ]
        }
    ]
}

Below is an example of policy with the bucket name eks-demobucket

Create Policy

  • Click Next: Tags
  • Add tags, if required in the next page and click Next: Review

Add Tags

  • Enter the Policy name and Description (optional) on the Review Policy page
  • Click Create Policy

Review Policy

Step 3: Create Identity Provider

  • In the AWS Portal, navigate to EKS Cluster → Configuration → Details. Copy the OpenID Connect Provider URL

OpenID Provider URL

  • Open the Identity Provider page and click Add Provider

Add Provider Button

  • Select the Provider type OpenID Connect
  • Enter the Provider URL (copied from EKS Cluster Config Details page) and click Get thumbprint
  • Enter sts.amazonaws.com in the Audience field

Add OpenID

  • Add tags if required and click Add provider

Add Provider

Once the provider is added, a success message appears and indicates to assign an IAM role

  • Click Assign role

Indicator

Important

To use two different clusters for data backup and restore, create individual Identity Providers for both the clusters

Step 4: Create Role ARN

  • On the IAM Roles page, click Create role
  • Select the trusted entity Web Identity
  • Select the Identity Provider and sts.amazonaws.com as Audience from the drop-down
  • Click Next: Permissions

Select Web Identity Provider

  • Select the policy name from the list of available policies and click Next: Tags

Select Policy

  • Provide tags in the Add tags page if required and click Next: Review
  • Provide a role name and description (optional)
  • Click Create Role to complete the role creation process

Create Role

  • Once the role is created, it is listed on the Roles page

Step 5: Edit Trust Relationships

  • Select the created role from the list and click the Trust relationships tab
  • Click Edit trust relationship

Trust Relationships

Scenario 1

To backup and restore the cluster data in the same cluster, perform the following steps

Below is the default access control policy document

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::679196758854:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/16B1EDB42627D5F2BD69BB6B42FD5345"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-1.amazonaws.com/id/16B1EDB42627D5F2BD69BB6B42FD5345:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

To add the appropriate namespace and service account, make the changes in the condition key

Below is an example with the right namespace and service account

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::679196758854:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/16B1EDB42627D5F2BD69BB6B42FD5345"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-1.amazonaws.com/id/16B1EDB42627D5F2BD69BB6B42FD5345:sub": "system:serviceaccount:rafay-system:velero-rafay"
        }
      }
    }
  ]
}

Scenario 2

To backup the data from one Cluster and restore in another cluster, users must add the policy details of both the clusters in the Edit Trust Relationships policy as shown below

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/oidc.eks.${AWS::Region}.amazonaws.com/id/${Cluster_1}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.${AWS::Region}.amazonaws.com/id/${Cluster_1}:sub": "system:serviceaccount:${Namespace}:default"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/oidc.eks.${AWS::Region}.amazonaws.com/id/${Cluster_2}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.${AWS::Region}.amazonaws.com/id/${Cluster_2}:sub": "system:serviceaccount:${Namespace}:default"
        }
      }
    }
  ]
}

To add the appropriate namespace and service account for both the cluster, make the changes in the condition key

Below is an example with the right namespace and service account

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::679196758854:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/17562E53EA93EE98AA800738265ECFE1"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-1.amazonaws.com/id/17562E53EA93EE98AA800738265ECFE1:sub": "system:serviceaccount:rafay-system:velero-rafay"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::679196758854:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/6895F1604286AE3EB02EFD39CAC4E288"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-west-1.amazonaws.com/id/6895F1604286AE3EB02EFD39CAC4E288:sub": "system:serviceaccount:rafay-system:velero-rafay"
        }
      }
    }
  ]
}
  • Once the changes are applied, click Update Trust Policy

Edit Trust Relationships

Use this role while creating the Data backup credentials through Controller