How to get EKS Pod role with aws command

Question

i need eks pod role not worker node role but, when i try below command, i can only get eks worker node role..

=> curl http://169.254.169.254/latest/meta-data/iam/security-credentials; echo

how can i get pod role?

i need pod role for setting GOOGLE_APPLICATION_CREDENTIALS config file.

{
  "type": "external_account",
  "audience": "~~~~~~~~",
  "subject_token_type": "~~~~~~~",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "environment_id": "aws1",
    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials", ====> return worker node role
    "regional_cred_verification_url": "https://sts.{region}.amazonaws.comAction=GetCallerIdentity&Version=2011-06-15"
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/!@#$!@#$!@#$.iam.gserviceaccount.com:generateAccessToken"
}

help me please. thank you so much.

Answer 1

yes i already assume a role in GCP

You can then create a service account with the same policy as the IAM role above for your pod using eksctl:

eksctl create iamserviceaccount \
  --name <name of the service account> \
  --namespace <where the service account resides> \
  --cluster <cluster name> \
  --attach-policy-arn arn:aws:iam::<account>:policy/<name of the IAM policy> \
  --approve

Refer the service account in your spec:

...
spec:
  serviceAccountName: <name of the service account>
  ...

Now your pod will assume the IAM role and not the node role.