DocumentationAPI ReferenceTerraform ProviderStatus PageSchedule a DemoFree Trial
Documentation

Authenticating the agent on AWS EKS

Suggest Edits

If your env0 agent runs on an AWS EKS cluster, you can leverage any of these methods to assign an AWS IAM role to your deployments.

📘

Credential Resolution Order

The env0 deployment agent resolves credentials in the following priority order:

  1. Pod Identity
  2. IRSA (IAM Roles for Service Accounts)
  3. Node Role

This order ensures that more granular and secure identity methods (like Pod Identity and IRSA) are preferred over the instance-level Node Role.

Using EKS Pod Identity

EKS Pod Identity simplifies the management of IAM permissions for applications on EKS clusters by allowing administrators to associate IAM roles directly with Kubernetes service accounts, eliminating the need for OIDC identity providers and enabling role reuse across multiple clusters.

For more details about EKS Pod identity and how to configure it, refer to the EKS User Guide.

Using IAM Roles for Service Accounts (IRSA)

IAM Roles for Service Accounts (IRSA) in Amazon EKS allow Kubernetes pods to securely assume IAM roles, enabling fine-grained access to AWS services without managing AWS credentials within the pods.

For more details about IRSA and how to configure it, refer to the EKS User Guide.

📘

Using a Custom Kubernetes Service Account

By default, env0 uses the default service account within the namespace where the agent is installed.

To specify a different service account, set the deploymentJobServiceAccountName Helm value.

For detailed steps on configuring a new service account, refer to this AWS Guide.

🚧

IRSA & EKS Pod Identity Session Expiry

Please note that when using IRSA or EKS Pod Identity, the assumed session is only valid for 1 hour.

This limitation exists because these methods internally assume the role associated with the Kubernetes service account, and role chaining is restricted to 1-hour sessions.

Using the Node Role

The Node Role is the IAM Role assigned to the EC2 instances that serve as nodes in your EKS cluster.

You can use this role directly by assigning the appropriate permissions required for your env0 deployments.

For more details, refer to the EKS User Guide.

🚧

Restricting Access to the Node IAM Role

If you are using AWS EKS and do not want to use the Node IAM Role, you must explicitly restrict access to it.

More details can be found here

Updated 12 days ago