Use EKS Pod Identity in AWS
This documentation is for the CARTO Self-Hosted Legacy Version. Use only if you've installed this specific version. Explore our latest documentation for updated features.
What is EKS Pod Identity?
Amazon EKS Pod Identity allows Kubernetes pods in EKS clusters to securely assume specific AWS IAM roles, enabling secure, granular access to AWS resources without embedding credentials within the pods.
This approach enhances security by reducing the risk of exposed access keys and supports fine-grained access control by enabling distinct permissions for each workload. With EKS Pod Identity, managing access credentials becomes simpler and safer, allowing developers to control AWS resource permissions at the pod level.
Enabling EKS Pod Identity in your Self-Hosted installation is just available for the orchestrated container deployment of CARTO.
How does EKS Pod Identity work?
Enabling EKS Pod Identity on a cluster allows assuming an IAM role from the pods deployed. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association it injects some environment variables in the pods that can be used to authenticate against AWS APIs.
In order to enable this feature in your EKS cluster, you can check the following documentation.
Use EKS Pod Identity to access the metadata database
CARTO Self-Hosted running on an EKS cluster can take advantage of EKS Pod Identity feature to connect to the PostgreSQL metadata database if it's deployed in RDS.
Configuration
Setup EKS Pod Identity following the documentation.
Enable IAM Authentication in your PostgreSQL RDS database.
Create a user with IAM Authentication enabled in your database:
USERNAME: Username that will be used to connect to your metadata database.
Grant your Pod Identity IAM Role permissions to connect to your metadata database
Assign the following policy to the role configured for EKS Pod Identity:
REGION: AWS region in which the metadata database is deployed.AWS_ACCOUNT_ID: ID of the AWS account where the metadata database is deployed.RDS_DATABASE_RESOURCE_ID: ID of the database in AWS. It should be a string matching the following format:db-RxxxxxxxxxxxxxxxxUSERNAME: Username that will be used to connect to your metadata database. It should be the same that was created previously.
Provide the following configuration in the customizations.yaml file:
EKS_POD_IDENTITY_SERVICE_ACCOUNT: Name of the service account you created when configuring EKS Pod Identity.HOST: Address of the PostgreSQL RDS database.USERNAME: Username that will be used to connect to your metadata database. It should be the same that was created previously.PORT: Port used to connect to the PostgreSQL RDS database.REGION: AWS region in which the metadata database is deployed.CA_CERT: Content of the CA certificate used to connect to the database using SSL.
Once you've applied the changes performed in your customizations.yaml file, your CARTO deployment will use the role you created to connect to the metadata database!
Use EKS Pod Identity to access the S3 buckets
CARTO Self-Hosted running on an EKS cluster can take advantage of EKS Pod Identity feature to connect to the S3 buckets if it's deployed in RDS.
Configuration
Setup EKS Pod Identity following the documentation.
Grant your Pod Identity IAM Role permissions to connect to your S3 buckets. You can find the needed permissions in the guide to configure your own buckets.
Provide the following configuration in the customizations.yaml file:
You'll have to provide in your customizations.yaml file the changes explained in the guide to configure your own buckets and the following changes:
EKS_POD_IDENTITY_SERVICE_ACCOUNT: Name of the service account you created when configuring EKS Pod Identity.
Once you've applied the changes performed in your customizations.yaml file, your CARTO deployment will use the role you created to connect to the S3 buckets!
Last updated