Skip to main content

Connect to AWS Services with IAM Roles

warning

Connecting by assuming an IAM role is only available when using Superblocks On-Premise

When running the Superblocks On-Premise Agent on AWS (ECS Fargate, EKS, or EC2 instances), the agent can access AWS services with an IAM role, instead of requiring long-term access keys. This can be used in:

Auth types

ECS task role

Assign an IAM role to the agent's ECS task. If using the Superblocks Terraform module, this can be set via the superblocks_agent_role_arn variable.

superblocks_agent_role_arn = "arn:aws:iam::111111111111:role/my-iam-role"

Once this is set up, create AWS integrations with only the region specified (leave the default auth type set to Access Key, though this will not be used). The agent will use its assigned role to retrieve temporary credentials when APIs are executed.

s3 integration using iam role with opa on ECS

Kubernetes service account

Follow the steps in the EKS docs on IAM roles for service accounts (IRSA) to associate an IAM role with a Kubernetes service account. Specify this service account in the agent's values.yaml file, along with the annotation for the IAM role.

#(...)

serviceAccount:
  name: opa-service-account
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/my-iam-role

#(...)

Once this is set up, create AWS integrations with the Token File auth type. This will authorize the agent to connect to the AWS service using Service Account Token Volume Projection.

s3 integration using iam role with opa on EKS

EC2 instance metadata

Create an IAM role that allows EC2 instances to call AWS services and associate this role with the EC2 instance where the Superblocks agent runs (IAM instance profile).

Once this is set up, create AWS integrations with the EC2 Instance Metadata auth type. This will authorize the agent to connect to the AWS service using the instance's IAM role credentials, retrieved through the EC2 instance metadata endpoint (IMDS).

s3 integration using iam role with opa on EC2

Connect to AWS in Python and JavaScript

The agent can also use IAM roles to connect to AWS services in backend Python (Boto3) and JavaScript (AWS SDK) steps.

If you're using ECS task role auth, you must additionally set the environment variable SB_EXECUTION_ENV_INCLUSION_LIST to a value of AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. For example, in the agent's Terraform module:

superblocks_agent_environment_variables = [
    {
        "name" : "SB_EXECUTION_ENV_INCLUSION_LIST", ' 
        "value" : "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
    }
 ]

No additional configuration is required if your agent is using a Kubernetes service account or EC2 instance metadata for IAM role auth.

You can then write code in Superblocks to interact with AWS services that the agent's role has permission to access.

iam role auth for boto3