mirror of https://github.com/dapr/samples.git
ad548a185d
* EKS pod identity sample Signed-off-by: Fernando Rocha <fernando@diagrid.io> * Including gitignore Signed-off-by: Fernando Rocha <fernando@diagrid.io> * README Signed-off-by: Fernando Rocha <fernando@diagrid.io> --------- Signed-off-by: Fernando Rocha <fernando@diagrid.io> |
||
|---|---|---|
| .. | ||
| app | ||
| components | ||
| deploy | ||
| k8s-config | ||
| .gitignore | ||
| README.md | ||
README.md
Setting Up Dapr with AWS EKS Pod Identity and Secrets Manager
This guide walks through setting up Dapr with AWS EKS Pod Identity for accessing AWS Secrets Manager.
Prerequisites
- AWS CLI configured with appropriate permissions
- kubectl
- eksctl
- Docker
- A Docker Hub account or another container registry
Clone repository
git clone https://github.com/dapr/samples.git
cd samples/dapr-eks-podidentity
Create EKS Cluster and install Dapr
Follow the official Dapr documentation for setting up an EKS cluster and installing Dapr: Set up an Elastic Kubernetes Service (EKS) cluster
Create IAM Role and Enable Pod Identity
- Create IAM policy for Secrets Manager access:
aws iam create-policy \
--policy-name dapr-secrets-policy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:YOUR_AWS_REGION:YOUR_ACCOUNT_ID:secret:*"
}
]
}'
- Create IAM role with Pod Identity trust relationship:
aws iam create-role \
--role-name dapr-pod-identity-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}'
- Attach the policy to the role:
aws iam attach-role-policy \
--role-name dapr-pod-identity-role \
--policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/dapr-secrets-policy
Create Test Resources
- Create namespace:
kubectl create namespace dapr-podidentity
- Create service account (
service-account.yaml):
kubectl apply -f k8s-config/service-account.yaml
- Create Pod Identity association:
eksctl create podidentityassociation \
--cluster [your-cluster-name] \
--namespace dapr-podidentity \
--region [your-aws-region] \
--service-account-name dapr-test-sa \
--role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/dapr-pod-identity-role
- Create a test secret in AWS Secrets Manager:
aws secretsmanager create-secret \
--name test-secret \
--secret-string '{"key":"value"}' \
--region [your-aws-region]
- Create Dapr component for AWS Secrets Manager (
aws-secretstore.yaml):
kubectl apply -f components/aws-secretstore.yaml
Deploy Test Application
- Build and push the Docker image:
cd app
docker build -t your-repository/dapr-secrets-test:latest .
docker push your-repository/dapr-secrets-test:latest
- Apply the deployment:
kubectl apply -f deploy/app.yaml
Modify
your-repositorywith your container registry repository name on the commands above and inside/deploy/app.yaml.
Testing
- Check if the pod is running:
kubectl get pods -n dapr-podidentity
- Port forward to access the application:
kubectl port-forward -n dapr-podidentity deploy/test-app 8080:8080
- Test secret access:
curl http://localhost:8080/test-secret
Troubleshooting
Authentication Issues
If you see "You must be logged in to the server (Unauthorized)", update your kubeconfig:
aws eks update-kubeconfig --region [your-aws-region] --name [your-cluster-name]
Pod Identity Issues
Verify Pod Identity association:
eksctl get podidentityassociation --cluster [your-cluster-name] --region [your-aws-region]]
Dapr Component Issues
Check Dapr sidecar logs:
kubectl logs -n dapr-podidentity -l app=test-app -c daprd