Setting up API user on EKS

if you use eks for running your services, you can use the steps below to configure your eks cluster pods to have access to aws kms once your eks cluster is setup successfully, you can perform the steps below this https //docs aws amazon com/eks/latest/userguide/iam roles for service accounts html aws tutorial covers how to associate an iam role with a kubernetes service account and configure your pods to use the service account step 1 of the tutorial create an iam oidc provider for your cluster https //docs aws amazon com/eks/latest/userguide/enable iam roles for service accounts html complete the steps as outlined in the tutorial if at any point, you face a permission denied error, you can create a new aws policy to give the required permission to the aws user you're using to set up the cluster or use aws management console option mentioned in the tutorial to create a new role, go to the iam page > select policies on the left side > create policy > json some permissions are required for oidc setup copy { "version" "2012 10 17", "statement" \[ { "effect" "allow", "action" \[ "iam\ getopenidconnectprovider", "iam\ listopenidconnectproviders", "iam\ createopenidconnectprovider", "iam\ tagopenidconnectprovider", "eks ", "iam\ getrole", "iam\ listattachedrolepolicies", "iam\ listrolepolicies", "iam\ listroles", "iam\ passrole" ], "resource" " " } ] } if you're still facing issues you can use aws management console route mentioned in the doc step 2 of the tutorial assign iam roles to kubernetes service accounts https //docs aws amazon com/eks/latest/userguide/associate service account role html here in to associate an iam role with a kubernetes service account section, skip the step 1 in the tutorial as we already have the iam role in step 2 , update the command as below eksctl create iamserviceaccount name my service account namespace default cluster my cluster role name my role attach policy arn arn\ aws\ iam aws\ policy/service role/rosakmsproviderpolicy approve here replace my cluster with the name of your cluster, my role with something more verbose like eks kms access role and my service account with a verbose service account name aws iam get role role name my role query role assumerolepolicydocument run this command to validate the output as shown in tutorial aws iam list attached role policies role name my role query attachedpolicies next, run this command and check "policyarn" "arn\ aws\ iam aws\ policy/service role/rosakmsproviderpolicy" in the output step 3 of tutorial configure pods to use a kubernetes service account https //docs aws amazon com/eks/latest/userguide/pod configuration html configure pods that will run the primevault sdk to use the kubernetes service account my service account (or the name you provided) created above in step 2 follow the steps as in the tutorial step 4 of tutorial using a supported aws sdk https //docs aws amazon com/eks/latest/userguide/iam roles for service accounts minimum sdk html validate the version of the aws sdk as per the tutorial after these steps, your eks pods should have access to aws kms follow the steps on creating a kms key from the ui docid\ zbhoiwnywhcliz4kuojny to create an aws kms key that will be used as an access key for the api user