Microservices IAM Setup

​

Introduction

This document provides detailed instructions on setting up IAM Roles for Service Accounts (IRSA) for the microservices in the Raven platform. Specifically, it illustrates how IRSA (AWS EKS) works and how to assign IAM roles to Kubernetes service accounts using Helm charts. Additionally, it lists the necessary permissions for each microservice.

​

IAM Roles for Service Accounts (IRSA)

IRSA enables your Kubernetes pods to interact with AWS services using IAM roles. This eliminates the need to manage AWS credentials within pods, enhancing security and simplifying the management of permissions.

​

How IRSA Works

1. IAM Role Creation: Create an IAM role with a trust policy that allows the Kubernetes service account to assume the role.
2. Service Account Annotation: Annotate the Kubernetes service account with the IAM role ARN.
3. IAM Policy Attachment: Attach the necessary IAM policies to the IAM role to grant the required permissions.

​

Setting Up IRSA in Helm Charts

To set the service account roles in your Helm chart, you need to annotate the service account with the appropriate IAM role ARN.

Here’s an example of how to do this:

serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/role-name

Replace <AWS_ACCOUNT_ID> with your actual AWS account ID.

​

Required Permissions for Microservices

​

upload-service

The upload-service requires read/write access to the nodes-data bucket and the symbols bucket. Below is the IAM policy for the upload-service:

{
  "Statement": [
    {
      "Action": [
        "s3:*",
        "s3-object-lambda:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-platform-nodes-data/*",
        "arn:aws:s3:::my-platform-nodes-data",
        "arn:aws:s3:::my-platform-symbols/*",
        "arn:aws:s3:::my-platform-symbols"
      ],
      "Sid": ""
    },
    {
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListAccessPoints",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketAcl",
        "s3:GetAccountPublicAccessBlock"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "S3ConsoleAccess"
    }
  ],
  "Version": "2012-10-17"
}

​

ingestion-service

The ingestion-service also requires read/write access to the nodes-data bucket and the symbols bucket. Below is the IAM policy for the ingestion-service:

{
  "Statement": [
    {
      "Action": [
        "s3:*",
        "s3-object-lambda:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-platform-nodes-data/*",
        "arn:aws:s3:::my-platform-nodes-data",
        "arn:aws:s3:::my-platform-symbols/*",
        "arn:aws:s3:::my-platform-symbols"
      ],
      "Sid": ""
    },
    {
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListAccessPoints",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketAcl",
        "s3:GetAccountPublicAccessBlock"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "S3ConsoleAccess"
    }
  ],
  "Version": "2012-10-17"
}

​

Applying IAM Roles in Helm

Ensure you have created the IAM roles with the above policies and have the role ARNs. You can then set up your Helm chart as follows:

​

Example Helm Values File (values.yaml)

upload-service:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/upload-service-role

ingestion-service:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/ingestion-service-role

Replace <AWS_ACCOUNT_ID> with your actual AWS account ID and upload-service-role and ingestion-service-role with the actual role names.

​

Conclusion

Setting up IRSA allows your microservices to securely interact with AWS services without managing AWS credentials within the pods. By annotating your service accounts with the correct IAM role ARNs and ensuring the roles have the required permissions, you can effectively manage access control for your microservices. For further assistance, refer to the Raven Documentation or contact support