Configure access to your AWS account using IAM Roles
This guide walks you through configuring AWS credentials for your Okteto instance to enable the commands in your Okteto Manifests to interact with your AWS account.
We will focus on requesting access to an S3 bucket. However, you can extend this approach to grant access to other AWS resources by specifying a role with the necessary permissions.
AWS credentials are configured using OIDC federation to assume an IAM Role via Web Identity. This provides secure and temporary access to your AWS resources.
Step 1: Register the Identity Provider
We recommend installing the AWS CLI before following this tutorial
The first step in configuring AWS credentials is to register your Kubernetes cluster as an OIDC identity provider in AWS. To do this, Okteto provides the OIDC endpoint of your cluster, which can be found in the General section of your Okteto Admin Dashboard.
Store these values as environment variables, you will use them in the next steps:
export OIDC_ENDPOINT=https://container.googleapis.com/v1/projects/myProject/locations/us-central1/clusters/myCluster
export OKTETO_SERVICE_ACCOUNT=system:serviceaccount:okteto:okteto
The AUDIENCE is traditionally the client ID of the requester, and tokens will only be exchanged for these audiences.
It corresponds to the aud field in the JWT payload. We recommend creating a unique audience for each Okteto instance and AWS region.
For example:
export AUDIENCE=okteto.example.com/us-east-2
Next, run the following command to create the OIDC identity provider in AWS:
aws iam create-open-id-connect-provider --url "${OIDC_ENDPOINT}" --client-id-list "${AUDIENCE}"
Once successful, you’ll see a response similar to:
{
"OpenIDConnectProviderArn": "arn:aws:iam::112233445566:oidc-provider/container.googleapis.com/v1/projects/myProject/locations/us-central1/clusters/myCluster"
}
Store this value in an environment variable, you'll use it in the next step:
export PROVIDER_ARN=arn:aws:iam::112233445566:oidc-provider/container.googleapis.com/v1/projects/myProject/locations/us-central1/clusters/myCluster
Step 2: Create the IAM Role and Grant Access to S3
In this step, you'll create an IAM Role that allows access to S3 and configure it to assume the role using the OIDC identity provider you set up in the previous step.
First, create the trust policy that allows the role to be assumed by the OIDC identity provider.
Save the following content to a file called trust-policy.json (replace your environment variables):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "${PROVIDER_ARN}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_ENDPOINT}:aud": "${AUDIENCE}",
"${OIDC_ENDPOINT}:sub": "${OKTETO_SERVICE_ACCOUNT}"
}
}
}
]
}
Run the following command to create the IAM Role in AWS with the trust policy you defined:
aws iam create-role --role-name okteto-credentials --assume-role-policy-document file://trust-policy.json
You will receive a response similar to:
{
"Role": {
"Path": "/",
"RoleName": "okteto-credentials",
"RoleId": "AR...",
"Arn": "arn:aws:iam::112233445566:role/okteto-credentials",
"CreateDate": "2024-06-10T15:04:05+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::112233445566:oidc-provider/container.googleapis.com/v1/projects/myProject/locations/us-central1/clusters/myCluster"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"https://container.googleapis.com/v1/projects/myProject/locations/us-central1/clusters/myCluster:aud": "okteto.example.com/us-east-2",
"https://container.googleapis.com/v1/projects/myProject/locations/us-central1/clusters/myCluster:sub": "system:serviceaccount:okteto:okteto"
}
}
}
]
}
}
}
Store the Arn of the role you just created in an environment variable, you'll use it in the next step:
export ROLE_ARN=arn:aws:iam::112233445566:role/okteto-credentials
Finally, attach the S3 policy to the IAM Role to grant it full read and write access to your S3 buckets:
aws iam attach-role-policy --role-name okteto-credentials --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
This grants the IAM Role the necessary permissions to interact with S3.
Step 3: Configure AWS Cloud Credentials in Okteto
Now that you've created the IAM role, the final step is to configure the AWS credentials in Okteto.
Go to the Cloud Credentials view view in the Okteto Admin dashboard and enable the AWS IAM Role option.
Provide the following information:
- Role ARN: The Role ARN
ROLE_ARNyou created in Step 2 - Region: The AWS Region for the AWS STS Regional Endpoint. You can find more information about regional endpoints here and here
- Audience: The Audience
AUDIENCEyou specified during the Identity Provider setup
Once this configuration is in place, your Okteto Manifests commands will have access to your AWS account.
Example Okteto Manifest
With the configuration complete, the following Okteto Manifest can interact with the specified S3 bucket:
deploy:
image: amazon/aws-cli
commands:
- aws s3 mb s3://test-bucket --region us-west-2
test:
aws:
image: amazon/aws-cli
commands:
- aws s3 ls | grep test-bucket
destroy:
image: amazon/aws-cli
commands:
- aws s3 rb s3://test-bucket --region us-west-2