Configure IAM in EKS clusters

The best practice for implementing Amazon IAM in an EKS cluster is to use an EKS service account. This setup works with the hive.s3.iam-role catalog property, or with an S3 security mapping.

Using S3 security mapping with EKS cluster versions prior to version 1.19 requires a securityContext: definition in the Starburst Enterprise platform (SEP) Helm chart as in the following example:

securityContext:
  fsGroup: 65534

The SEP chart uses the default account for its defined namespace, therefore you must create the service account with the name “default”, as in the following example eksctl command:

$ eksctl create iamserviceaccount \
 --name default \
 --namespace dataservices \
 --cluster sepstaging \
 --attach-policy-arn arn:aws:iam::<policyID>:policy/eks_service_account_wm \
 --approve \
 --override-existing-serviceaccounts