How-To: Configure the AWS cloud provider with IAM Roles for Service Accounts (IRSA)

Learn how to configure the AWS provider with IAM Roles for Service Accounts(IRSA) for your Radius Environment
Categories:
Tags:

The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. It can be configured:

Prerequisites

Setup the AWS IAM Roles for Service Accounts(IRSA) for Radius

To authorize Radius to connect to AWS using AWS IAM Roles for Service Accounts(IRSA), you should assign IAM roles to Kubernetes service accounts. To associate an IAM role with a Kubernetes service account Create an IAM role and associate it with a Kubernetes service account.

  • Go to Identity and Access Management (IAM) on AWS portal and create a new role.


  • Select Trusted entity type as Web Identity and Identity Provider as the cluster OIDC url.

  • Select the created IAM policy to attach to your new role.

  • Add Role Name and create role using the default trust policy.

  • Update the Trust Policy to match to the below format.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-url>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<oidc-url>:aud": "sts.amazonaws.com",
                    "<oidc-url>:sub": "system:serviceaccount:radius-system:ucp"
                }
            }
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-url>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<oidc-url>:aud": "sts.amazonaws.com",
                    "<oidc-url>:sub": "system:serviceaccount:radius-system:applications-rp"
                }
            }
        }
    ]
}

Now that the setup is complete, you can install Radius with AWS IRSA enabled.

Interactive configuration

  1. Initialize a new environment with rad init --full:

    rad init --full

  2. Follow the prompts, specifying:

    • Namespace - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, radius-system)
    • Add an AWS provider

      1. Select the “IRSA” option

      2. Enter IAM Role ARN.Find the ARN from the role created in the setup step.

      3. Confirm the AWS account ID or provide the account ID you would like to use.

      4. Select a region to deploy your AWS resources to.

    • Environment name - The name of the environment to create

    You should see the following output:

    Initializing Radius. This may take a minute or two...

✅ Install Radius edge
  - Kubernetes cluster: k3d-k3s-default
  - Kubernetes namespace: radius-system
  - AWS credential: IRSA
  - IAM Role ARN: arn:aws:iam::myAccountID:role/radius-role-new
✅ Create new environment default
  - Kubernetes namespace: default
  - AWS: account myAccountID and region us-east-2
✅ Update local configuration

  Initialization complete! Have a RAD time 😎

Manual configuration

  1. Use rad install kubernetes to install Radius with AWS AWS IAM Roles for Service Accounts(IRSA) enabled:

    rad install kubernetes --set global.aws.irsa.enabled=true

  2. Create your resource group and environment:

    rad group create default
rad env create default

  3. Use rad env update to update your Radius Environment with your your AWS region and AWS account ID:

    rad env update myEnvironment --aws-region myAwsRegion --aws-account-id myAwsAccountId

  4. Use rad credential register aws irsa to add the AWS IRSA credentials:

    rad credential register aws irsa --iam-role myRoleARN

    Radius will use the provided roleARN for all interactions with AWS, including Bicep and Recipe deployments.