Domino advanced credential propagation for AWS with EKS Pod Identity
Article topics
Security, Identity and Access Management (IAM), Role Based Access Control (RBAC), OpenID Connect (OIDC), Web Identity and Attribute Based Access Control (ABAC)
Intended audience
Cloud administrators, IT professionals, Security teams
Overview and goals
In a previous article, we saw how the IAM role for Service Accounts (IRSA) can be utilized within Domino workloads (Apps, Jobs, and Workspaces) for assuming IAM roles. There are situations where IRSA can be operationally challenging to use. AWS provides another mechanism to assume IAM roles within Kubernetes workloads known as EKS Pod Identity to address these challenges. However, this approach has its own tradeoffs.
In this article we will explore what these operational challenges are and how EKS Pod Identity can be used within Domino workloads. We’ll look at specific situations where this approach is more suitable than the IRSA approach — and describe new challenges users will face when using this approach.
EKS Pod Identity vs. IRSA
In most cases, EKS administrators or Domino administrators, do not own the roles and policies defined in the AWS Identity and Access Management (IAM). When using IRSA, a Domino workload can assume any AWS role assigned to it. However, the IAM owner has to update the trust policy of the IAM role to explicitly point to the OIDC provider associated with the EKS cluster. This OIDC provider is unique for each EKS cluster. This has been considered to be one of the major operational challenges of IRSA when Domino upgrades are done using the Blue-Green upgrade mechanism. After each upgrade the trust policies for all roles assumed by kubernetes service account associated with a IAM role need to be updated with the new EKS cluster’s OIDC provider endpoint.
If your EKS team owned these IAM roles and the associated trust policies, updating them is trivial. But if your EKS team does not own them and these roles are used outside of the EKS clusters, this presents a significant operational challenge. It can also be argued that, delegating the mapping of Kubernetes Service Accounts to IAM role via a separate IAM team is a good security practice. That’s because a separate team can impose additional safeguards when assigning roles to Kubernetes workloads. EKS Pod Identities are introduced by AWS to address this operational challenge.
Note: This document will provide you with detailed guidance. Please speak with your Domino Professional Services contact for additional information, assistance, and implementation support.
When should you consider using EKS Pod Identity?
- New EKS Cluster for each Domino version
Domino recommends using EKS Pod Identity when your policy is to deploy new Domino versions on new EKS clusters and your EKS administrators do not own the definitions of the IAM role being assumed by Domino workloads. In a Blue/Green scenario when you start the Green EKS cluster and install Domino on it, you will need to modify the trust relationship of each IAM role assumed by the Domino Workload to include the OIDC provider of the Green Domino. After the Blue EKS cluster is retired, you will need to remove the references to the OIDC provider of the Blue EKS cluster. This imposes an operational burden on the IAM Team. Furthermore, in most cases your internal policies won't permit you to make these changes without proper approvals in place adding more pressures on the operational process. - Service Accounts Mapping to a single IAM role
Domino Service Accounts exist, so a Domino admin can create these for executing jobs in production. The number of users in Domino is usually a stable number or changes less often. However, new jobs are created frequently. It is common for a job to be executed by a Domino Service Account. It is also good practice to limit a Service Account to only a small set of jobs. This allows fine grained access control granularity for the job owner (Domino Service Account). Having to frequently update an AWS roles trust policy to allow a service account to assume a role is operationally challenging unless the EKS admin owns the IAM role which the service account needs to assume. This situation also demonstrates that IRSA vs. EKS Pod Identities are not mutually exclusive choices. We can support both, IRSA for users (enabling them to switch roles inside a workload) and EKS Pod Identity for service accounts because service accounts usually need to assume a single role for the task they are responsible for. - You plan to use Domino Credentials Propagation, but would like to use Domino Service Accounts to run jobs via automation processes
While credential propagation works with a Domino user, a Domino Service Account cannot utilize Domino Credential’s Propagation feature. The reason being the Domino feature is tied to SAML integration with AWS IAM and Domino Service Accounts do not authenticate via SAML.
A service account typically would be mapped to a single IAM role for the specific purpose of performing a task. One-to-one mapping for a service account to an IAM role makes operational sense. If you wish to run the same Domino Job but use different AWS IAM roles, it would make sense to create two separate service accounts in Domino and map these separate IAM roles to each of these service accounts respectively.
How do EKS Pod Identities work with Domino?
The mechanism for EKS Pod Identities is illustrated in the following figure.
We assume that you have done the installation step based on the AWS documentation. Next, we look at all the preparations needed to make the EKS pod identities work.
- Establish the mapping between the K8s service account and IAM role. The K8s service account represents a user or service principal which owns the Domino workload which needs to assume the role. This can be run on the command line as follows:
aws eks create-pod-identity-association --cluster-name my-cluster --role-arn arn:aws:iam::123456789012:role/my-role --namespace domino-compute --service-account my-service-account
- The IAM role needs the following trust policy to be attached to it. The EKS control plane runs as an IAM service principal "pods.eks.amazonaws.com" control and assumes the role on behalf of the K8s service account. This trust policy enables that process.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
- The Daemonset eks-pod-identity-agent uses the host network of the worker node to make the call eks-auth:AssumeRoleForPodIdentity for the mapped role associated with the pod service account. To enable this we need the policy below to be attached to the node role <cluster-name>-eks-nodes. Note that the resources section of this policy should include the exhaustive list of all roles that have been mapped to the service account in EKS. If a new mapping is created with a new role, this list will need to be updated.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WorkerNodePermissions",
"Effect": "Allow",
"Action": [
"eks-auth:AssumeRoleForPodIdentity"
],
"Resource": [
"arn:aws:iam::123456789012:role/PodIdentityRole1",
"arn:aws:iam::123456789012:role/PodIdentityRole2"
]
}
]
}
Now we are ready to examine how exactly the Domino workload (pod) acquires the STS temporary credentials associated with the role.
- The EKS Pod Identity Webhook mutates the pod and adds the following two environment variables to it.
| Environment variable name | Environment variable value |
|---|---|
AWS_CONTAINER_CREDENTIALS_FULL_URI |
http://169.254.170.23/v1/credentials |
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE |
/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token |
The iptables are updated to route the call to $AWS_CONTAINER_CREDENTIALS_FULL_URI to the daemonset described in the next step.
- The Daemonset eks-pod-identity-agent intercepts the call to AWS_CONTAINER_CREDENTIALS_FULL_URI and discovers the mapping between the IAM role and the pod service account. It then makes the call eks-auth:AssumeRoleForPodIdentity while passing the IAM role associated with the service account. The authentication token provided is the same mounted service account token.
- The EKS control plane verifies the mapping between the pod service account and the IAM role.
- If valid, the EKS control plane calls the STS service using the IAM service principal pods.eks.amazonaws.com to assume the target role and fetch temporary credentials.
- These are then passed to the pod which successfully assumes the IAM role.
- From the perspective of the pod, the call to http://169.254.170.23/v1/credentials obtained the credentials for the role.
For all practical purposes this mechanism behaves like an EC2 instance role. The table below outlines the key differences between EKS Pod Identities and IRSA.
| EKS Pod Identities | IRSA |
|---|---|
| One service account can be mapped to at most one IAM role. | One service account can be mapped to multiple IAM roles. |
| Workload owner cannot switch IAM roles while inside a workload. Mappings between K8s Service Account and IAM role are one to one. If a workload needs to assume a new role, the EKS administrator will need to create a new Pod Identity mapping and the workload will need to be restarted. | Workload owners can switch IAM roles inside a running workspace by selecting the appropriate profile from your AWS_CONFIG_FILE or setting the environment variable AWS_ROLE_ARN. |
|
Removing the Pod Identity mappings between the Pod Service Account and AWS Role, does not remove the permissions of a running workload.
One approach to addressing this problem is to have an independent service in your EKS cluster which performs ListPodIdentityAssociations. The service will terminate the pod with stale configurations.
|
Updating the IAM trust policy to remove K8s Service Account mapping, immediately revokes the permissions of the workload.
A more accurate statement would be, AWS IAM records the changes to the trust policy and starts propagating to each service. Remember that, AWS Trust Policy updates are eventually consistent and it may take up to 20 minutes for these changes to propagate to all services when AWS is under heavy loads |
The command ListPodIdentityAssociations for your EKS cluster provides the K8s Service Accounts associated with the IAM roles. |
Iterate over all IAM Roles and determine which of these roles has a trust policy which permits the K8s Service Account to assume the role |
It is important to understand that using IRSA and EKS Pod Identity is not a mutually exclusive decision. A scenario where it makes sense to use both is, a customer using an MLOps process where users do development in their workspaces and production deployment requires jobs to be running on schedule or via workflows.
A recommended best practice to execute production jobs is to use service accounts as job owners. A customer could potentially have tens of jobs each running as its own service account. The number of jobs being promoted to production (as well as a service account being created) is a significantly dynamic number as compared to the number of users. In addition, as mentioned earlier jobs require very specific access to cloud resources. Based on the principle of least privileges, a job should have access to a role with minimum access. A job does not need to switch roles but a user does depending on what the user wants to do.
In this scenario we would use IRSA for workspaces and EKS Pod Identity for jobs.
Check out a hands-on tutorial for EKS Pod Identities based on this public repo.