How to use workload identity for AWS cloud operations in Portworx
Portworx supports using AWS IAM Roles for Service Accounts (IRSA) to access cloud resources such as Amazon S3 for CloudSnap backups and Amazon EBS for CloudDrive provisioning. This removes the need to manage static AWS credentials or assign IAM permissions at the node level.
The workload identity feature in Portworx Operator enables Portworx pods to securely access AWS services without hardcoding cloud credentials. Instead, Portworx leverages AWS IAM Roles for Service Accounts (IRSA), injecting short-lived credentials that are automatically rotated into pods. This improves security posture and operational simplicity for cloud-native storage workflows such as CloudSnap and CloudDrive.
By configuring workload identity, Portworx can securely perform cloud operations using short-lived tokens that are automatically rotated and injected into its pods via Portworx service account and projected tokens.
This approach enhances security, simplifies credential management, and meets the compliance needs of enterprises operating on AWS-based Kubernetes clusters.
How it works
When this feature is configured:
- Portworx service account is annotated with an AWS IAM role.
- The Portworx Operator ensures pods are injected with:
- A projected service account token.
- Environment variables like
AWS_ROLE_ARN
,AWS_REGION
,AWS_DEFAULT_REGION
, andAWS_WEB_IDENTITY_TOKEN_FILE
.
- The AWS SDK within Portworx uses these to inherit the IAM role at runtime.
On Amazon Elastic Kubernetes Service (EKS), this is handled automatically by the eks-pod-identity-webhook
. On non-EKS environments, users must deploy it manually.
Why use workload identity
Traditional AWS credential mechanisms involve manually provisioning access keys and rotating them securely—an operational and security risk. Workload identity offers the following benefits:
- Eliminates static AWS access keys and secrets.
- Avoids granting IAM permissions to entire Kubernetes node.
- Automatically injects short-lived credentials into the appropriate pods.
Supported platforms
This feature is supported on the following AWS-based Kubernetes distributions:
- Amazon Elastic Kubernetes Service (EKS)
- Red Hat OpenShift Service on AWS (ROSA)
- Google Anthos on AWS
Prerequisites
Before configuring workload identity, ensure that the following prerequisites are met:
- A Kubernetes cluster on the AWS platform
- Portworx Enterprise version 3.4.0 or later
- Portworx Operator version 25.3.1 or later
- An OIDC provider linked to your Kubernetes cluster. For more information, refer to Create an OpenID Connect (OIDC) identity provider in IAM.
- The Pod Identity Webhook is deployed and running:
- Included by default in EKS and ROSA clusters.
- For other clusters running on EC2 instances, you need to manually deploy the webhook. For more information, refer to Amazon EKS Pod Identity Webhook.
important
After cloning the repository, edit the deployment-base.yaml file to include
--aws-default-region <aws-region>
flag in thespec.template.spec.containers.command
field before deploying the webhook.
Create an IAM role
-
Define an IAM role with the required permissions for AWS services used by CloudSnap or CloudDrive.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EBSVolumeManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeVolumeStatus",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumesModifications",
"autoscaling:DescribeAutoScalingGroups"
],
"Resource": "*"
},
{
"Sid": "InstanceDescription",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Sid": "S3BucketManagement",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
]
} -
Attach a trust policy to the role.
Choose the appropriate trust policy based on your Kubernetes distribution:
- EKS
- ROSA
- Google Anthos
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-provider-url>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-provider-url>:aud": "sts.amazonaws.com"
},
"StringLike": {
"<oidc-provider-url>:sub": "system:serviceaccount:<namespace>:portworx"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-provider-url>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-provider-url>:aud": "openshift"
},
"StringLike": {
"<oidc-provider-url>:sub": "system:serviceaccount:<namespace>:portworx"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<gke-oidc-url>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"<gke-oidc-url>:sub": "system:serviceaccount:<namespace>:portworx"
}
}
}
]
}Refer to Create a role for OpenID Connect federation (console) for more details.
Configure workload identity
To configure the workload identity feature, edit the StorageCluster
custom resource to add the following section:
spec:
workloadIdentity:
credentials:
- cloudProvider: "aws"
key: "eks.amazonaws.com/role-arn"
value: "arn:aws:iam::<account-id>:role/<role-name>"
Configure workload identity
- Existing cluster
- New installation
To configure the workload identity feature for an existing cluster, edit the StorageCluster
custom resource to include the following section:
spec:
workloadIdentity:
credentials:
- cloudProvider: "aws"
key: "eks.amazonaws.com/role-arn"
value: "arn:aws:iam::<account-id>:role/<role-name>"
If you are installing Portworx using Portworx Central, you can enable workload identity during spec generation:
- Select AWS as your cloud platform and choose a Kubernetes distribution (for example, EKS).
- Select Customize, and go to the Storage section.
- In the Storage section, find the Enable Workload Identity option.
- Select Enable Workload Identity.
- Enter your IAM Role ARN in the following format:
arn\:aws\:iam::<account-id>\:role/<role-name>
This automatically adds the workloadIdentity
section to the generated StorageCluster
specification:
spec:
workloadIdentity:
credentials:
- cloudProvider: "aws"
key: "eks.amazonaws.com/role-arn"
value: "arn:aws:iam::<account-id>:role/<role-name>"
Verify token injection
Once the configuration is applied, the Portworx Operator will restart pods as needed. Following the restart, Portworx pods should include the following:
Token volume
volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 86400
path: token
Volume mount
volumeMounts:
- mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
name: aws-iam-token
readOnly: true
Environment variables
spec:
containers:
- env:
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
- name: AWS_ROLE_ARN
value: arn:aws:iam::<account-id>:role/<role-name>
- name: AWS_REGION
value: us-west-2
- name: AWS_DEFAULT_REGION
value: us-west-2
These are used by the AWS SDK to authenticate and make API calls.
Create credentials using workload identity
To create CloudSnap credentials using workload identity, run the following Portworx CLI command:
pxctl credentials create px-cloud-cred \
--provider s3 \
--use-workload-identity
This credential can be used to create cloud snapshots. For more information, see Create and use cloud snapshots.
The --s3-disable-ssl
flag is not supported with workload identity for AWS endpoints as it enforces SSL..