Use EKS Pod Identity in AWS (Helm)
For CARTO Self-hosted using Kubernetes and Helm
Last updated
Was this helpful?
For CARTO Self-hosted using Kubernetes and Helm
Last updated
Was this helpful?
allows Kubernetes pods in EKS clusters to securely assume specific AWS IAM roles, enabling secure, granular access to AWS resources without embedding credentials within the pods.
This approach enhances security by reducing the risk of exposed access keys and supports fine-grained access control by enabling distinct permissions for each workload. With EKS Pod Identity, managing access credentials becomes simpler and safer, allowing developers to control AWS resource permissions at the pod level.
Enabling EKS Pod Identity on a cluster allows assuming an IAM role from the pods deployed. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association it injects some environment variables in the pods that can be used to authenticate against AWS APIs.
In order to enable this feature in your EKS cluster, you can check the following .
CARTO Self-Hosted running on an EKS cluster can take advantage of EKS Pod Identity feature to connect to the PostgreSQL metadata database if it's deployed in RDS.
Setup EKS Pod Identity following the .
Enable IAM Authentication in your PostgreSQL RDS database.
Create a user with IAM Authentication enabled in your database:
USERNAME
: Username that will be used to connect to your metadata database.
Grant your Pod Identity IAM Role permissions to connect to your metadata database
Assign the following policy to the role configured for EKS Pod Identity:
REGION
: AWS region in which the metadata database is deployed.
AWS_ACCOUNT_ID
: ID of the AWS account where the metadata database is deployed.
RDS_DATABASE_RESOURCE_ID
: ID of the database in AWS. It should be a string matching the following format: db-Rxxxxxxxxxxxxxxxx
USERNAME
: Username that will be used to connect to your metadata database. It should be the same that was created previously.
Provide the following configuration in the customizations.yaml file:
EKS_POD_IDENTITY_SERVICE_ACCOUNT
: Name of the service account you created when configuring EKS Pod Identity.
HOST
: Address of the PostgreSQL RDS database.
USERNAME
: Username that will be used to connect to your metadata database. It should be the same that was created previously.
PORT
: Port used to connect to the PostgreSQL RDS database.
REGION
: AWS region in which the metadata database is deployed.
CA_CERT
: Content of the CA certificate used to connect to the database using SSL.
Once you've applied the changes performed in your customizations.yaml file, your CARTO deployment will use the role you created to connect to the metadata database!
CARTO Self-Hosted running on an EKS cluster can take advantage of EKS Pod Identity feature to connect to the S3 buckets if it's deployed in RDS.
Provide the following configuration in the customizations.yaml file:
EKS_POD_IDENTITY_SERVICE_ACCOUNT
: Name of the service account you created when configuring EKS Pod Identity.
Once you've applied the changes performed in your customizations.yaml file, your CARTO deployment will use the role you created to connect to the S3 buckets!
Setup EKS Pod Identity following the .
Grant your Pod Identity IAM Role permissions to connect to your S3 buckets. You can find the needed permissions in the .
You'll have to provide in your customizations.yaml file the changes explained in the and the following changes: