This guide walks through setting up Dapr with AWS EKS Pod Identity for accessing AWS Secrets Manager and Amazon S3.
- AWS CLI configured with appropriate permissions
- kubectl installed
- eksctl installed
- Docker installed and configured
- A Docker Hub account or another container registry
git clone https://github.com/rochabr/dapr-eks-podidentity.git
cd dapr-eks-podidentityFollow the official Dapr documentation for setting up an EKS cluster and installing Dapr: Set up an Elastic Kubernetes Service (EKS) cluster
- Create IAM policy for Secrets Manager access:
aws iam create-policy \
--policy-name dapr-secrets-policy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:YOUR_AWS_REGION:YOUR_ACCOUNT_ID:secret:*"
}
]
}'- Create IAM policy for S3 full access:
aws iam create-policy \
--policy-name dapr-s3-policy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}'- Create IAM role with Pod Identity trust relationship:
aws iam create-role \
--role-name dapr-pod-identity-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}'- Attach the policies to the role:
aws iam attach-role-policy \
--role-name dapr-pod-identity-role \
--policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/dapr-secrets-policyaws iam attach-role-policy \
--role-name dapr-pod-identity-role \
--policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/dapr-s3-policy- Create namespace:
kubectl create namespace dapr-test- Create service account (
service-account.yaml):
kubectl apply -f k8s-config/service-account.yaml- Create Pod Identity association:
eksctl create podidentityassociation \
--cluster [your-cluster-name] \
--namespace dapr-test \
--region [your-aws-region] \
--service-account-name dapr-test-sa \
--role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/dapr-pod-identity-role- Create a test secret in AWS Secrets Manager:
aws secretsmanager create-secret \
--name test-secret \
--secret-string '{"key":"value"}' \
--region [your-aws-region]- Create S3 bucket:
aws s3api create-bucket --bucket [your-bucket-name] --region [your-aws-region]- Create Dapr component for AWS Secrets Manager (
aws-secretstore.yaml) and AWS S3 (aws-s3.yaml):
Update the necessary values on both component files before running the command below.
kubectl apply -f components/- Build and push the Docker image:
cd app
docker build -t your-repository/dapr-secrets-test:latest .
docker push your-repository/dapr-secrets-test:latest- Apply the deployment:
Update the
imageattribute by adding your repository name.
kubectl apply -f deploy/app.yaml- Check if the pod is running:
kubectl get pods -n dapr-test- Port forward to access the application:
kubectl port-forward -n dapr-test deploy/test-app 8080:8080- Test secret access:
curl http://localhost:8080/test-secret- Test S3 access:
curl -X POST -H "Content-Type: application/json" \
-d '{"data": "Hello World"}' \
http://localhost:8080/create-s3If you see "You must be logged in to the server (Unauthorized)", update your kubeconfig:
aws eks update-kubeconfig --region [your-aws-region] --name [your-cluster-name]Verify Pod Identity association:
eksctl get podidentityassociation --cluster [your-cluster-name] --region [your-aws-region]Check Dapr sidecar logs:
kubectl logs -n dapr-test -l app=test-app -c daprd