If you’re just looking to attach a service account to a pod using the native AWS EKS IAM mapping[1], you should be able to attach the service account to the pod via the `kubernetes.service-account` configuration option[2].
Let me know if that works for you! Best, Austin [1]: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html [2]: https://ci.apache.org/projects/flink/flink-docs-release-1.12/deployment/config.html#kubernetes-service-account On Sat, Apr 3, 2021 at 10:18 PM Austin Cawley-Edwards < austin.caw...@gmail.com> wrote: > Can you describe your setup a little bit more? And perhaps how you use > this setup to grant access to other non-Flink pods? > > On Sat, Apr 3, 2021 at 2:29 PM Swagat Mishra <swaga...@gmail.com> wrote: > >> Yes I looked at kube2iam, I haven't experimented with it. >> >> Given that the service account has access to S3, shouldn't we have a >> simpler mechanism to connect to underlying resources based on the service >> account authorization? >> >> On Sat, Apr 3, 2021, 10:10 PM Austin Cawley-Edwards < >> austin.caw...@gmail.com> wrote: >> >>> Hi Swagat, >>> >>> I’ve used kube2iam[1] for granting AWS access to Flink pods in the past >>> with good results. It’s all based on mapping pod annotations to AWS IAM >>> roles. Is this something that might work for you? >>> >>> Best, >>> Austin >>> >>> [1]: https://github.com/jtblin/kube2iam >>> >>> On Sat, Apr 3, 2021 at 10:40 AM Swagat Mishra <swaga...@gmail.com> >>> wrote: >>> >>>> No we are running on aws. The mechanisms supported by flink to connect >>>> to resources like S3, need us to make changes that will impact all >>>> services, something that we don't want to do. So providing the aws secret >>>> key ID and passcode upfront or iam rules where it connects by executing >>>> curl/ http calls to connect to S3 , don't work for me. >>>> >>>> I want to be able to connect to S3, using aws Api's and if that >>>> connection can be leveraged by the presto library, that is what I am >>>> looking for. >>>> >>>> Regards, >>>> Swagat >>>> >>>> >>>> On Sat, Apr 3, 2021, 7:37 PM Israel Ekpo <israele...@gmail.com> wrote: >>>> >>>>> Are you running on Azure Kubernetes Service. >>>>> >>>>> You should be able to do it because the identity can be mapped to the >>>>> labels of the pods not necessary Flink. >>>>> >>>>> On Sat, Apr 3, 2021 at 6:31 AM Swagat Mishra <swaga...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I think flink doesn't support pod identity, any plans tk achieve it >>>>>> in any subsequent release. >>>>>> >>>>>> Regards, >>>>>> Swagat >>>>>> >>>>>> >>>>>>