Skip to content

feat: Support Pod Identity for EKS add-ons #465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Support Pod Identity for EKS add-ons #465

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a8d2c54
feat: optional pod_identity_association for eks_addons
cazlo Aug 21, 2025
ca8cf5f
docs: pod_identity_association for eks_addons
cazlo Aug 21, 2025
5bd180e
chore: vpc-cni pod-identity test
cazlo Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions docs/amazon-eks-addons.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ module "eks_blueprints_addons" {
resolve_conflicts_on_create = string # defaults to `OVERWRITE`
resolve_conflicts_on_update = string # defaults to `OVERWRITE`

pod_identity_association = list(object({ # Optional, defaults to []
role_arn = string
service_account = string
}))

timeouts = {
create = string # optional
update = string # optional
Expand Down Expand Up @@ -366,3 +371,41 @@ module "eks_blueprints_addons" {
})
}
```

### EKS Pod Identity

Several addons can use the [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) feature to provide IAM roles to pods.
For example, the [CloudWatch Observability add-on](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html#install-CloudWatch-Observability-EKS-pod-identity)
can optionally use Pod Identities instead of an IRSA, as shown below:


```hcl
module "eks_blueprints_addons" {
source = "aws-ia/eks-blueprints-addons/aws"

# ... truncated for brevity

eks_addons = {
# required for the pod identity feature
eks-pod-identity-agent = {
most_recent = true
}

amazon-cloudwatch-observability = {
most_recent = true
pod_identity_association = [
{
role_arn = module.aws_cloudwatch_observability_pod_identity.iam_role_arn
service_account = "cloudwatch-agent"
}
]
}
}
}

module "aws_cloudwatch_observability_pod_identity" {
source = "terraform-aws-modules/eks-pod-identity/aws"
name = "aws-cloudwatch-observability"
attach_aws_cloudwatch_observability_policy = true
}
```
9 changes: 9 additions & 0 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2236,6 +2236,15 @@ resource "aws_eks_addon" "this" {
resolve_conflicts_on_update = try(each.value.resolve_conflicts, "OVERWRITE")
service_account_role_arn = try(each.value.service_account_role_arn, null)

dynamic "pod_identity_association" {
for_each = try(each.value.pod_identity_association, [])
Copy link

@lorengordon lorengordon Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is a list appropriate? An addon can only be associated to a single pod identity, right? Maybe an object would be better?

Suggested change
for_each = try(each.value.pod_identity_association, [])
for_each = try(each.value.pod_identity_association, null) != null ? [each.value.pod_identity_association] : []

Copy link
Author

@cazlo cazlo Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @lorengordon ,

Thank you for your time in reviewing this PR, as well as your feedback. Let me explain why I think keeping this a list would be best for forward maintainability.

An addon can only be associated to a single pod identity, right?

It is accurate to say today there is a 1-1 relationship between AWS add-on and IAM role (and subsequent Pod Identity association). This is due to the current add-on state where each add-on has a single service account which needs IAM access. I verified this by reviewing both AWS documentation on add-ons and review of the pre-baked pod identities under terraform-aws-modules.

However, it is technically possible for future add-ons to have multiple IAM roles/Pod Identities associated with them. This is because the Pod Identity relationship is 1-1 between IAM role and service-account. A future hypothetical example of a 1-M add-on to Pod Identity relationship follows. Imagine an add-on which combined the various observability stacks into a single, cooperative stack, i.e. a combination of amazon-managed-service-prometheus, aws-cloudwatch-observability, otel, etc. In this situation to maintain least privilege RBAC, the add-on would need at least 2 different IAM role -> service-account Pod Identity mappings, 1 for prometheus service-account, a separate one for observablity service-account, etc.

Now granted this is entirely hypothetical, and may end up being YAGNI. In my opinion, since the option technically exists, I recommend to make this a list, so if the module needs to support it later we don't have to make a breaking change to the input and potential associated major release of the module. All that being said I am not a maintainer of the project, and defer this kind of maintainability decision to y'all; I am cool either way.

Given this context above, please let me know if you wish to proceed with the interface change; I would not mind making the change and re-running tests.

Copy link

@lorengordon lorengordon Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL, the api doc would appear to agree with you. It accepts an array instead of an object...

https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html#API_CreateAddon_RequestSyntax

Fyi, I'm not a maintainer here, I was just interested in this same feature.


content {
role_arn = pod_identity_association.value.role_arn
service_account = pod_identity_association.value.service_account
}
}

timeouts {
create = try(each.value.timeouts.create, var.eks_addons_timeouts.create, null)
update = try(each.value.timeouts.update, var.eks_addons_timeouts.update, null)
Expand Down
1 change: 1 addition & 0 deletions tests/complete/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ terraform destroy

| Name | Source | Version |
|------|--------|---------|
| <a name="module_aws_vpc_cni_ipv4_pod_identity"></a> [aws\_vpc\_cni\_ipv4\_pod\_identity](#module\_aws\_vpc\_cni\_ipv4\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | ~> 1.12.1 |
| <a name="module_ebs_csi_driver_irsa"></a> [ebs\_csi\_driver\_irsa](#module\_ebs\_csi\_driver\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 20.26 |
| <a name="module_eks_blueprints_addons"></a> [eks\_blueprints\_addons](#module\_eks\_blueprints\_addons) | ../../ | n/a |
Expand Down
22 changes: 22 additions & 0 deletions tests/complete/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,18 @@ module "eks_blueprints_addons" {
}
vpc-cni = {
most_recent = true
pod_identity_association = [
{
role_arn = module.aws_vpc_cni_ipv4_pod_identity.iam_role_arn
service_account = "aws-node"
}
]
}
kube-proxy = {}
# required for the pod identity feature
eks-pod-identity-agent = {
most_recent = true
}
}

enable_aws_efs_csi_driver = true
Expand Down Expand Up @@ -361,3 +371,15 @@ module "ebs_csi_driver_irsa" {

tags = local.tags
}

module "aws_vpc_cni_ipv4_pod_identity" {
source = "terraform-aws-modules/eks-pod-identity/aws"
# Note 2.0 requires AWS provider 6, locking to last version before 2.0 until test migrated to AWS provider 6
version = "~> 1.12.1"

name = "aws-vpc-cni-ipv4"

attach_aws_vpc_cni_policy = true
aws_vpc_cni_enable_ipv4 = true

}