Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(eks): need to override kubectl handler lambda IAM role

See original GitHub issue

we’ve noticed that when we want to create the service account through cdk with IAM role attached, the cdk requires us to specify the IAM role that has access to Kubernetes API:


Also, we’ve noticed that the lambda that does kubectl apply tries to assume that role to make kubectl apply command, which is fine.

The one thing that we noticed that when this kubectl handler lambda created it is created with the new role every time with the assume role inline policy.

image image

Which is could be fine as well but we find that this is not quite secure, because in this case, we need to put “root account” to the trusted entities of kubectlRole to let all that lambdas assume this role.

For dev/qa environments it is fine but for production account, we really don’t want to have Kubernetes admin role which can be assumed by anyone who has assumeRole policy we want to tight that kubectl role by trusted entities some how.

Use Case

we use IRSA for Imported clusters service-per-service. Each service has it’s own cdk stack with Cluster.addServiceAccount() call. So each service create it’s own kubectl handler lambda with it’s own lambda role with random name.

our kubectl role should be assumable by only one entity, but in the environment where we have huge amount of lambdas for each service it is not possible to list all that lambda roles in the trusted entity of kubectl role.

Proposed Solution

I see here two possible solutions:

  1. Add an optional parameter with the kubectl handler lambda. so each cdk stack can load that lambda and use the same lambda in a different stacks that creates IRSA. So we create that lambda once with the role and put that role to the trusted entity of kubectlRole.
  2. Add an optional parameter to .addServiceAccount() function to pass the existing role arn for kubectl handler lambda. so we can create that role once, put it inside the trusted entities of kubectl role and all kubectl handlers will run under this role.


  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:5
  • Comments:20 (18 by maintainers)

github_iconTop GitHub Comments

aka-toxacommented, Mar 24, 2021

yes I’m preparing the draft changes for that, it is a bit tough will show soon I’m almost done

iliapolocommented, Dec 18, 2020

@aka-toxa Let me know when you start working on this to finalize the approach because i’m still not sure about it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Orchestrating Amazon Kubernetes Service (EKS) from AWS ...
The function will use the Lambda IAM role credentials. With the AWS credentials, it will query the EKS endpoint to get the certificate...
Read more >
Kubernetes RBAC and IAM Integration in Amazon EKS using ...
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster. ... A Kubernetes Java client implemented as an AWS Lambda function ...
Read more >
If you want to manage function code and infrastructure resources (such as IAM permissions, policies, events, etc) in separate flows (e.g., ...
Read more >
@aws-cdk/aws-eks - npm
Auto Scaling Group - EC2 worker nodes managed by the user. KubectlHandler - Lambda function for invoking kubectl commands on the cluster - ......
Read more >
IAM Roles for Service Accounts - eksctl
Inside EKS, there is an admission controller that injects AWS session credentials into pods respectively of the roles based on the annotation on...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found