Configuring AWS EKS using IAM Roles instead of an IAM User

Hello Folks,
I was going through one of your doc on connecting to external registries
In this case, we would like to use ECR

https://docs.replicated.com/vendor/tutorial-ecr-private-images#setting-up-the-service-account-user

However as per the page above, it seems to be that we would need an IAM user.
We are actively trying to avoid the use of IAM users for security reasons.
So, I was wondering if it was possible in any way to use an IAM role instead.

Hi @surajbathina this is a great question – I’m going to check with our engineering team, but I’d guess that as long as you can create a Key/Secret pair with the right IAM policy attached, this should work.

Hey Dex,
I understand that attaching a policy to an IAM user does indeed work. And the specified key/secret pair are the credentials of the user.
I was trying to understand if we can attach the policy to an AWS IAM Role.
As of now I do not see an option for that.
Was trying to understand if we can make this somehow work, or if this can be added as a feature in an upcoming update.

Hmm, okay – thanks for clarifying.

Right now our integration only works with AWS identity objects that can provide and Key/Secret pair. I’m unfortunately not sure if a standalone role supports that or if you need to attach the role to an IAM user.

If there’s another method by which you’d like to authenticate, I’d recommend filing a feature request at https://support.replicated.com

Thanks for the information, I’ll raise a request with the appropriate details.

1 Like

Hi @surajbathina,

As I understand it, IAM roles need to be attached to an actor/subject (e.g. a user, service account, a node, etc…), and it’s possible to use a role for authentication since it’s not an actor/subject itself.

Does that make sense?