Assigning an AWS IAM role to an AWS EKS Jenkins Agent Pod

Question

I'm configuring an AWS EKS-based Jenkins master with different agents. Jenkins can spin up new pods just fine. The problem is when I try to assign an IAM role to that pod through the Service account. It just doesn't pick it up. It worked two days ago, but I had to delete the jenkins_home directory, so I'm starting from scratch again.

The service account is like:

$ kubectl get serviceaccount -n jenkins jenkins-agents -o yaml 
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/clz_deployer_role
  creationTimestamp: "2020-09-22T15:19:55Z"
  name: jenkins-agents
  namespace: jenkins
  resourceVersion: "145998"
  selfLink: /api/v1/namespaces/jenkins/serviceaccounts/jenkins-agents
  uid: 8d55df19-140d-4703-bc61-886a25a20eac
secrets:
- name: jenkins-agents-token-mmxb8

and I pass the name of the service account to the Pod configuration:

metadata:
  labels:
    jenkins/label: jenkins-slave-aws-cli
  name: awsclislave
  # annotations:
  #   eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/clz_deployer_role
spec:
  containers:
    - image: pquery/jnlp-slave-docker:latest
      imagePullPolicy: IfNotPresent
      name: awsclislave
      command:
        - cat
      resources:
        limits:
          memory: 512Mi
          cpu: 512m
        requests:
          memory: 512Mi
          cpu: 512m
      tty: true
      volumeMounts:
        - mountPath: /home/jenkins
          name: workspace-volume
          readOnly: false
      workingDir: /home/jenkins
  hostNetwork: false
  nodeSelector:
    kubernetes.io/os: linux
  restartPolicy: Never
  serviceAccount: jenkins-agents
  volumes:
    - emptyDir:
        medium: ""
      name: workspace-volume

I tried with annotations (commented) but it didn't work either. The error message is always the same:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::1111111111111:assumed-role/shared_services20200922074522597500000008/i-0c1c41c96e96e82df is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::2222222222222:role/clz_aws_cicd_access (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: bfe43133-13c1-4cdb-b4b9-626cf11def58; Proxy: null)

It's trying to use the instance role to perform the operation instead of the role attached to the Service Account. Anyone knows what the problem is?

Answer 1

The problem was on clz_deployer_role IAM role trust relationship, where the namespace was wrong. More specifically, inside condition:

"Condition": { "StringEquals": { "oidc.eks.eu-west-1.amazonaws.com/id/C1B7F80BE15AC5C89956D55EF7E3FFC5:sub": "system:serviceaccount:jenkins:jenkins-agents" } }

The "system:serviceaccount:jenkins:jenkins-agents" string is "system:serviceaccount::<service_account_name>" and namespace was pointing to "default", when it was in "jenkins" It works great now