Skip to main content
Version: Spectra Detect 6.0.3

Spectra Detect AWS EKS Config Reference — Pod Identity Configuration

Overview

EKS Pod Identity is the modern standard for identity management on Amazon EKS. Spectra Detect will authenticate with AWS services using temporary, auto-rotating credentials. The architecture is designed to work seamlessly whether the underlying AWS infrastructure is managed by ReversingLabs (SaaS) or hosted in your own AWS environment (Self-Hosted/BYOC).

This approach simplifies the security model for S3 integrations:

  • Infrastructure Agnostic: Whether the EKS cluster is in our account or yours, the application uses standard AWS identity patterns.
  • Zero-Config Credentials: You do not need to generate or manage long-lived Access Keys or Secret Keys for our application. Administrator needs to specify only the S3 bucket region and the bucket name.
  • Least Privilege: Access is strictly scoped to the IAM Role associated with our application, limiting access to only the intended resources (buckets).

Configuration Requirements

The configuration of S3 access is streamlined:

Required Input

The application will only require a region and the plain bucket name (e.g., my-company-reports), and no Access Key ID or Secret Access Key.

Infrastructure Setup (For Self-Hosted Customers)

If you manage the AWS environment, you must:

  1. Create an IAM Role with the necessary S3 permissions.
  2. Associate this Role with our application's ServiceAccount in your EKS cluster.
  3. Our application will handle the rest automatically.

Backward Compatibility

EKS Pod Identity is fully backward compatible with the legacy IAM Roles for Service Accounts (IRSA) method. This ensures that existing setups will continue to function while providing a path to improved security and manageability.

Technical Prerequisites: Enabling S3 Access with EKS Pod Identity

Audience: DevOps Engineers / Cloud Administrators

Scope: Self-Hosted Environments (BYOC)

Goal: Prepare your EKS cluster to support the secure S3 integration for the [Application Name] deployment.

To utilize the EKS Pod Identity feature for S3 access, your AWS infrastructure must meet the following requirements. Please review and ensure these components are configured before the feature release.

EKS Cluster Readiness

  1. EKS Version: Ensure your cluster is running a supported Kubernetes version.
  2. Pod Identity Agent: The Amazon EKS Pod Identity Agent must be installed on your cluster.
    • How to check: In the AWS Console, go to your EKS Cluster -> Add-ons tab. Look for "Amazon EKS Pod Identity Agent."
    • Action: If missing, install it via the "Get more add-ons" button or via Terraform/CLI.

IAM Role Configuration

You will need to create a dedicated IAM Role that our application will assume.

  • Trust Policy: The role must have a Trust Relationship allowing the EKS Pod Identity service principal.

    • Principal: pods.eks.amazonaws.com
    • Action: sts:AssumeRole and sts:TagSession
    • Standard Trust Policy JSON: 
      {  
          "Version": "2012-10-17",  
          "Statement": [  
              {  
                  "Effect": "Allow",  
                  "Principal": {  
                      "Service": "pods.eks.amazonaws.com"  
                  },  
                  "Action": [  
                      "sts:AssumeRole",  
                      "sts:TagSession"  
                  ]  
              }  
          ]  
      }

  • Permissions Policy: Attach an IAM Policy granting access to the target S3 bucket(s).

    • Required Actions: Typically s3:ListBucket, s3:GetObject, s3:PutObject (depending on your use case).
    • Resource: The ARN of the specific bucket(s) you intend to use.

Note: for cross-account access, please check this link.

Identity Association

Once the IAM Role is created, you must link it to our application running in your cluster.

  • Create ServiceAccount: You will map the role to the Kubernetes ServiceAccount used by our application.
    • The S3 connector and postprocessor can either create a ServiceAccount or use the default (provided) ServiceAccount - please check configuration parameters (useAssignedCredentials).
    • The name of the default account is <deployment name>-connector-s3;
  • Create Association: Use the EKS Console (Access Tab -> Pod Identity Associations) or AWS CLI to map the IAM Role to the ServiceAccount. This must be done separately for both S3 connector and postprocessor.
    • For EKS console instructions, please check this link.
    • For CLI instructions, please check this link.

Client Tools (For Verification)

  • AWS CLI: Ensure your administrative workstations and CI/CD pipelines are using a recent version of the AWS CLI (v2.15.0 or later) to support EKS Pod Identity commands.