# IAM integration for Litmus service accounts You can execute Litmus AWS experiments to target different AWS services from the EKS cluster itself, for this we need to authenticate Litmus with the AWS platform, we can do this in two different ways: ## Why should we use IAM integration for AWS authentication? The IAM roles for service accounts feature provides the following benefits: ## Enable service accounts to access AWS resources: #### Step 1: Create an IAM OIDC provider for your cluster We need to perform this once for a cluster. We’re going to follow the [AWS documentation to setup an OIDC provider](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) with eksctl. **Check whether you have an existing IAM OIDC provider for your cluster:** To check this you can follow the given instruction. ***Note:*** _For demonstration we’ll be using cluster name as litmus-demo and region us-west-1 you can replace these values according to your ENV._ ```bash aws eks describe-cluster --name --query "cluster.identity.oidc.issuer" --output text ``` **Output:** ```bash https://oidc.eks.us-west-1.amazonaws.com/id/D054E55B6947B1A7B3F200297789662C ``` Now list the IAM OIDC providers in your account. Command: ```bash aws iam list-open-id-connect-providers | grep ``` Replace `` (including `<>`) with the value returned from the previous command. So now here we don’t have an IAM OIDC identity provider, So we need to create it for your cluster with the following command. Replace `` (`including <>`) with your own value. ```bash eksctl utils associate-iam-oidc-provider --cluster litmus-demo --approve 2021-09-07 14:54:01 [ℹ] eksctl version 0.52.0 2021-09-07 14:54:01 [ℹ] using region us-west-1 2021-09-07 14:54:04 [ℹ] will create IAM Open ID Connect provider for cluster "udit-cluster-11" in "us-west-1" 2021-09-07 14:54:05 [✔] created IAM Open ID Connect provider for cluster "litmus-demo" in "us-west-1" ``` #### Step 2: Creating an IAM role and policy for your service account You must create an IAM policy that specifies the permissions that you would like the experiment should to have. You have several ways to create a new IAM permission policy. Check out the [AWS docs for creating the IAM policy](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html#create-service-account-iam-policy). We will make use of eksctl command to setup the same. ```bash eksctl create iamserviceaccount \ --name \ --namespace \ --cluster \ --attach-policy-arn \ --approve \ --override-existing-serviceaccounts ``` #### Step 3: Associate an IAM role with a service account Complete this task for each Kubernetes service account that needs access to AWS resources. We can do this by defining the IAM role to associate with a service account in your cluster by adding the following annotation to the service account. ```yaml apiVersion: v1 kind: ServiceAccount metadata: annotations: eks.amazonaws.com/role-arn: arn:aws:iam:::role/ ``` You can also annotate the experiment service account running the following command. ***Notes:*** _1. Ideally, annotating the `litmus-admin` service account in `litmus` namespace should work for most of the experiments._ _2. For the cluster autoscaler experiment, annotate the service account in the `kube-system` namespace._ ```bash kubectl annotate serviceaccount -n \ eks.amazonaws.com/role-arn=arn:aws:iam:::role/ ``` Verify that the experiment service account is now associated with the IAM. If you run an experiment and describe one of the pods, you can verify that the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables exist. ```bash kubectl exec -n litmus env | grep AWS ``` Output: ``` AWS_VPC_K8S_CNI_LOGLEVEL=DEBUG AWS_ROLE_ARN=arn:aws:iam:::role/ AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token ``` Now we have successfully enabled the experiment service accounts to access AWS resources. ## Configure the Experiment CR. Since we have already configured the IAM for the experiment service account we don’t need to create secret and mount it with experiment CR which is enabled by default. To remove the secret mount we have to remove the following lines from experiment YAML. ```yaml secrets: - name: cloud-secret mountPath: /tmp/ ``` We can now run the experiment with the direct IAM integration.