Skip to content

Latest commit

 

History

History

dapr-eks-podidentity

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
app
app
 
 
components
components
 
 
deploy
deploy
 
 
k8s-config
k8s-config
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

README.md

Setting Up Dapr with AWS EKS Pod Identity and Secrets Manager

This guide walks through setting up Dapr with AWS EKS Pod Identity for accessing AWS Secrets Manager.

Prerequisites

Clone repository

git clone https://github.com/dapr/samples.git
cd samples/dapr-eks-podidentity

Create EKS Cluster and install Dapr

Follow the official Dapr documentation for setting up an EKS cluster and installing Dapr: Set up an Elastic Kubernetes Service (EKS) cluster

Create IAM Role and Enable Pod Identity

  1. Create IAM policy for Secrets Manager access:
aws iam create-policy \
    --policy-name dapr-secrets-policy \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:DescribeSecret"
                ],
                "Resource": "arn:aws:secretsmanager:YOUR_AWS_REGION:YOUR_ACCOUNT_ID:secret:*"
            }
        ]
    }'
  1. Create IAM role with Pod Identity trust relationship:
aws iam create-role \
    --role-name dapr-pod-identity-role \
    --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "pods.eks.amazonaws.com"
                },
                "Action": [
                    "sts:AssumeRole",
                    "sts:TagSession"
                ]
            }
        ]
    }'
  1. Attach the policy to the role:
aws iam attach-role-policy \
    --role-name dapr-pod-identity-role \
    --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/dapr-secrets-policy

Create Test Resources

  1. Create namespace:
kubectl create namespace dapr-podidentity
  1. Create service account (service-account.yaml):
kubectl apply -f k8s-config/service-account.yaml
  1. Create Pod Identity association:
eksctl create podidentityassociation \
    --cluster [your-cluster-name] \
    --namespace dapr-podidentity \
    --region [your-aws-region] \
    --service-account-name dapr-test-sa \
    --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/dapr-pod-identity-role
  1. Create a test secret in AWS Secrets Manager:
aws secretsmanager create-secret \
    --name test-secret \
    --secret-string '{"key":"value"}' \
    --region [your-aws-region]
  1. Create Dapr component for AWS Secrets Manager (aws-secretstore.yaml):
kubectl apply -f components/aws-secretstore.yaml

Deploy Test Application

  1. Build and push the Docker image:
cd app
docker build -t your-repository/dapr-secrets-test:latest .
docker push your-repository/dapr-secrets-test:latest
  1. Apply the deployment:
kubectl apply -f deploy/app.yaml

Modify your-repository with your container registry repository name on the commands above and inside /deploy/app.yaml.

Testing

  1. Check if the pod is running:
kubectl get pods -n dapr-podidentity
  1. Port forward to access the application:
kubectl port-forward -n dapr-podidentity deploy/test-app 8080:8080
  1. Test secret access:
curl http://localhost:8080/test-secret

Troubleshooting

Authentication Issues

If you see "You must be logged in to the server (Unauthorized)", update your kubeconfig:

aws eks update-kubeconfig --region [your-aws-region] --name [your-cluster-name]

Pod Identity Issues

Verify Pod Identity association:

eksctl get podidentityassociation --cluster [your-cluster-name] --region [your-aws-region]]

Dapr Component Issues

Check Dapr sidecar logs:

kubectl logs -n dapr-podidentity -l app=test-app -c daprd

References