amazon web services - What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?

Question

AWS supports IAM Roles for Service Accounts (IRSA) that allows cluster operators to map AWS IAM Roles to Kubernetes Service Accounts.

To do so, one has to create an iamserviceaccount in an EKS cluster:

eksctl create iamserviceaccount 
    --name <AUTOSCALER_NAME> 
    --namespace kube-system 
    --cluster <CLUSTER_NAME> 
    --attach-policy-arn <POLICY_ARN> 
    --approve 
    --override-existing-serviceaccounts

The problem is that I don't want to use the above eksctl command because I want to declare my infrastructure using terraform.

Does eksctl command do anything other than creating a service account? If it only creates a service account, what is the YAML representation of it?

question from:https://stackoverflow.com/questions/65934606/what-does-eksctl-create-iamserviceaccount-do-under-the-hood-on-an-eks-cluster

Answer 1

First, you should define IAM role in Terraform.

Second, you should configure aws-auth configmap in Kubernetes to map the IAM role to Kubernetes user or serviceaccount. You can do that in Terraform using Kubernetes provider.

There is already a Terraform module terraform-aws-eks which manages all aspects of EKS cluster. You may take some ideas from it.