IAM for Audit Fluentd on Amazon EKS (IRSA) in a Self-Managed Deployment¶

When Audit Fluentd runs on Amazon EKS and writes audits to Amazon S3, use IAM Roles for Service Accounts (IRSA) instead of static access keys in vars.audit-fluentd.yml.

Create the IAM role and policies in your AWS account, then provide the role ARN to Privacera Manager. Manager annotates the Audit Fluentd ServiceAccount with eks.amazonaws.com/role-arn so the pod receives short-lived credentials through the AWS SDK default chain.

This is applicable only for self-managed deployments. For PrivaceraCloud, please reach out to your contact at Privacera.

Prerequisites¶

Prerequisite	Description
EKS OIDC provider	The cluster has an OIDC identity provider registered in IAM for IRSA.
IAM role	A role whose trust policy allows `sts:AssumeRoleWithWebIdentity` for your cluster OIDC issuer and the Audit Fluentd `ServiceAccount`.
IAM permissions	Policies attached to that role for the S3 actions Fluentd needs (sample below).

ServiceAccount name¶

Privacera Manager creates a dedicated ServiceAccount named audit-fluentd-<workload-sa>. With the default workload service account privacera-sa, the name is audit-fluentd-privacera-sa.

Use this subject in the IAM trust policy:

system:serviceaccount:<K8S_NAMESPACE>:audit-fluentd-privacera-sa

IAM policy templates¶

Replace the angle-bracket placeholders with your AWS account ID, region, EKS OIDC ID, bucket name, and Kubernetes namespace.

Trust policy¶

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<EKS_REGION>.amazonaws.com/id/<EKS_OIDC_ID>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.<EKS_REGION>.amazonaws.com/id/<EKS_OIDC_ID>:aud": "sts.amazonaws.com",
          "oidc.eks.<EKS_REGION>.amazonaws.com/id/<EKS_OIDC_ID>:sub": "system:serviceaccount:<K8S_NAMESPACE>:audit-fluentd-privacera-sa"
        }
      }
    }
  ]
}

S3 permission policy¶

Grant access to the bucket you set in AUDIT_FLUENTD_S3_BUCKET (and prefix, if you use one). Tighten Resource ARNs to that bucket only.

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3BucketLevelAudit",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::<AUDIT_S3_BUCKET>"
    },
    {
      "Sid": "S3ObjectsAudit",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": "arn:aws:s3:::<AUDIT_S3_BUCKET>/*"
    }
  ]
}

Configure Privacera Manager¶

Set these variables in custom-vars/vars.audit-fluentd.yml (copy from sample-vars/vars.audit-fluentd.yml if needed):

Property	Description
`AUDIT_FLUENTD_USE_POD_IAM_ROLE`	Set to `"true"` to use the dedicated Audit Fluentd `ServiceAccount` for IRSA (when `K8S_PROVIDER` is `aws`).
`AUDIT_FLUENTD_IAM_ROLE_ARN`	ARN of the IAM role you created (for example, `arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>`).

Leave AUDIT_FLUENTD_S3_ACCESS_KEY and AUDIT_FLUENTD_S3_SECRET_KEY empty when using IRSA.

Then apply the change with Privacera Manager and redeploy Audit Fluentd.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Validation¶

Verify that the IAM role is attached to the Audit Fluentd pod through its ServiceAccount:

Bash
kubectl -n <K8S_NAMESPACE> get serviceaccount audit-fluentd-privacera-sa \
  -o jsonpath='{.metadata.annotations.eks\.amazonaws\.com/role-arn}{"\n"}'

The command returns the ARN you set in AUDIT_FLUENTD_IAM_ROLE_ARN.

Prev Advanced Configuration