In the AWS cloud architecture, situations arise where secure communication is needed between an Amazon EKS (Elastic Kubernetes Service) cluster and an Amazon ECR (Elastic Container Registry) in a different AWS account. This blog offers a step-by-step guide on achieving this secure connection using OpenID Connect (OIDC).

OpenID Connect (OIDC) in AWS is like a security superhero that helps different parts of your AWS setup talk to each other safely. It’s like having a trusted guard that ensures only the right components can communicate. With OIDC, you add a special layer of protection, making sure all interactions within your AWS environment are safe and reliable.

We have two accounts: one for ECR (ecr-account) and another for EKS (eks-account). When we were setting up EKS, we turned on something called OIDC. To get details about this OIDC setup for EKS, just use this command:

aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN_OF_OIDC_PROVIDER_IN_EKS-ACCOUNT>

output be like,

{
    "Url": "oidc.eks.eu-west-1.amazonaws.com/id/C46A4FFABB3E8791A086F3**********",
    "ClientIDList": [
        "sts.amazonaws.com"
    ],
    "ThumbprintList": [
        "9e99a48a9960b14926bb7f3b02e22d**********"
    ],
    "CreateDate": "2023-07-11T06:16:14.841000+00:00",
    "Tags": [
        {
            "Key": "alpha.eksctl.io/eksctl-version",
            "Value": "0.148.0"
        },
        {
            "Key": "alpha.eksctl.io/cluster-name",
            "Value": "<CLUSTER_NAME> "
        }
    ]
}

The next step is to create an OpenID Connect provider in the ecr-account. This includes using key information from the eks-account, such as the eks-openid URL, client ID, and thumbprints of the OIDC. This connection ensures secure and seamless communication between the two accounts.

aws iam create-open-id-connect-provider \
    --url https://oidc.eks.eu-west-1.amazonaws.com/id/C46A4FFABB3E8791A086F3********** \
    --client-id-list sts.amazonaws.com \
    --thumbprint-list '["9e99a48a9960b14926bb7f3b02e22d**********"]'

With the OpenID Connect provider in the ecr-account set up, now we create an IAM role. This role needs the right AWS ECR policies, and we establish a trusted relationship. Here’s the configuration for the trusted relationship (use the ARN of the created OIDC provider in the ecr-account).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<ARN_OF_OIDC_PROVIDER_IN_ECR-ACCOUNT>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity"
        }
    ]
}

The last step is to go back to the eks-account and create an IAM service account for EKS to link with ECR. We do this using the eksctl command and mentioning the IAM role we made in the ecr-account. Here’s the command:

  eksctl create iamserviceaccount \
    --cluster <CLUSTER_NAME> \
    --region <AWS_REGION> \
    --namespace=<NAMESPACE_OF_IAMSERVICEACCOUNT> \
    --name=<NAME_OF_IAMSERVICEACCOUNT> \
    --attach-role-arn=<RN_OF_IAM-ROLE_IN_THE_ECR-ACCOUNT> \
    --approve

After making the IAM service account, include it in the deployment process for pods that need to access the ECR in the ecr-account. Simply add the following annotation to your pod or deployment configuration:

  spec:
    template:
      spec:
        serviceAccountName: <IAM_SERVICEACCOUNT>

Please verify that you can now access ECR from EKS.

In short, connecting AWS EKS and ECR in different accounts securely involves a few simple steps. Enable OIDC for EKS, set up an OIDC provider in the ECR-account, create a trusted IAM role, and configure an IAM service account for EKS. This guarantees a strong and safe link for smooth operations, making it easy to deploy and manage applications across AWS accounts in a secure and efficient cloud setup.