I have an EKS cluster with an OpenID Connect provider. My goal is to configure cross-account permissions to allow Pods running on the cluster in Account A to access AWS resources in Account B. To achieve this I have created a Service Account and attached that to the relevant Pods in Account A.
My issue is that before I can get the change approved, I need to prove that it works.
AWS documentation seems to suggest that I can test the use of STS:AssumeRoleWithWebIdentity via the CLI. However, where it specifies web_identity_token_file, it doesn't actually tell you how to generate that token.
Magic Google led me to another SO question, and now I have created a secret for the Service Account in question and I can get a JWT token. However, when I use that token I see an error -
operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 400, RequestID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, InvalidIdentityToken: Issuer must be a valid URL
The above SO question then led me to this answer in another question, but generating a token this way leads to another error.
operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 400, RequestID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, InvalidIdentityToken: Incorrect token audience
So my question is, how can I test assumption of a role with a web identity through the CLI? Is there a way to generate a generic JWT token for the OIDC provider for my EKS cluster?
The answer here is to use kubectl create token as suggested in this answer, but in addition to that it is necessary to change the audience, as the default audience is not valid.
kubectl create token <sa> -n <namespace> --audience sts.amazonaws.com
Note that no Service Account linked Secret is required.