Skip to Content
IntegrationsCost IntegrationAWSWorkload Identity Setup

Workload Identity Setup
Available in v1.18.6+

AWS IAM Roles for Service Accounts (IRSA) allows your ScaleOps pods to securely access AWS resources without storing IAM credentials in your cluster.

Prerequisites

  • EKS cluster with OIDC identity provider enabled
  • AWS CLI installed and configured
  • kubectl access to your EKS cluster

Setup Flow

Step 1: Create S3 Bucket and IAM Policy

First, create the S3 bucket and IAM policy using either CloudFormation or Terraform:

Option A: CloudFormation Template

Use our CloudFormation template to create the S3 bucket and IAM policy: Launch CloudFormation (or Download Template / Preview)

Option B: Terraform

module "scaleops_cur_integration" {
  source = "https://scriptshelf.scaleops.com/aws/cur/integrate.tf.tar.gz"
 
  create_role_delegator = false
}

Step 2: Create IAM Role for Each EKS Cluster

For each EKS cluster that needs cost integration, create a separate IAM role with the appropriate trust policy.

Get Cluster Information, and create the IAM role

# Get your EKS cluster OIDC issuer URL
CLUSTER_ISSUER=$(aws eks describe-cluster --name <CLUSTER_NAME> --region <REGION> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
 
# Get your AWS account ID
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
 
# Create the IAM role
ROLE_NAME="cur-workload-identity-role"
 
aws iam create-role \
  --role-name $ROLE_NAME \
  --assume-role-policy-document "{
    \"Version\": \"2012-10-17\",
    \"Statement\": [
      {
        \"Effect\": \"Allow\",
        \"Principal\": {
          \"Federated\": \"arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${CLUSTER_ISSUER}\"
        },
        \"Action\": \"sts:AssumeRoleWithWebIdentity\",
        \"Condition\": {
          \"StringEquals\": {
            \"${CLUSTER_ISSUER}:sub\": [
              \"system:serviceaccount:scaleops-system:scaleops-agent\",
              \"system:serviceaccount:scaleops-system:scaleops-dashboards\",
              \"system:serviceaccount:scaleops-system:scaleops-recommender\",
              \"system:serviceaccount:scaleops-system:scaleops-updater\"
            ],
            \"${CLUSTER_ISSUER}:aud\": \"sts.amazonaws.com\"
          }
        }
      }
    ]
  }" > /dev/null
 
# Attach the policy, created in Step 1 to the role
aws iam attach-role-policy \
  --role-name $ROLE_NAME \
  --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/scaleops-cur-access-policy

Step 3: Configure ScaleOps Helm Values

Grab the role ARN from the output of the above command.

ROLE_NAME="cur-workload-identity-role"
aws iam get-role --role-name $ROLE_NAME --query "Role.Arn" --output text

For each cluster, configure the Helm values to use workload identity:

global:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: "<ROLE_ARN>"
 
cloudBillingIntegration:
  aws:
    enabled: true
Terraform SetupArchitecture