Implement EKS Pod Identity to replace IRSA to remove OIDC dependency

[jakeskyaws]

Introduction

EKS Pod Identity is now GA, a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. EKS Pod Identity has the following enhancements:

As a result, IAM roles no longer need to reference an OIDC provider

The aim of this solution is to allow:

• Least privilege - eliminates the need for third-party solutions.
• Credential isolation - A pod's containers can only retrieve credentials for the IAM role associated with the service account used by the container.
• Audibility - Access and event logging is available through AWS CloudTrail.

idea

AWS EKS reference architecture should leverage EKS Pod Identity, providing a simpler method than alternative solutions like IAM roles for service accounts.

Implementation

The removal of OIDC on provisioning of the cluster

eksctl create addon --cluster my-cluster --name eks-pod-identity-agent
With the release of

iam:
  withOIDC: true

The implementation of EKS Pod Identities via addon or directly via eksctl or Terraform.

eksctl create addon --cluster xxxxx --name eks-pod-identity-agent

Provide Service accounts appropriate Roles with annotations

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNTID>:role/XXXXXXX
  name: my-serviceaccount
  namespace: default