Skip to content

IAM for Audit Server on Amazon EKS (IRSA) in a Self-Managed Deployment

When Audit Server runs on Amazon EKS and needs to call AWS (for example, sending audits to Amazon SQS), use IAM Roles for Service Accounts (IRSA) instead of static access keys.

Create the IAM role and policies in your AWS account, then provide the role ARN to Privacera Manager. Manager annotates the Audit Server ServiceAccount with eks.amazonaws.com/role-arn so the pod receives short-lived credentials through the AWS SDK default chain.

This is applicable only for self-managed deployments. For PrivaceraCloud, please reach out to your contact at Privacera.

Related topics

Send Audits to Amazon SQS describes queue configuration through Audit Server (vars.auditserver.yml).

Prerequisites

Prerequisite Description
EKS OIDC provider The cluster has an OIDC identity provider registered in IAM for IRSA.
IAM role A role whose trust policy allows sts:AssumeRoleWithWebIdentity for your cluster OIDC issuer and the Audit Server ServiceAccount.
IAM permissions Policies attached to that role for the AWS services Audit Server needs to call (for example, Amazon SQS).

ServiceAccount name

Privacera Manager creates a dedicated ServiceAccount named auditserver-<workload-sa>. With the default workload service account privacera-sa, the name is auditserver-privacera-sa.

Use this subject in the IAM trust policy:

system:serviceaccount:<K8S_NAMESPACE>:auditserver-privacera-sa

IAM policy templates

Replace the angle-bracket placeholders with your AWS account ID, region, EKS OIDC ID, queue ARN/prefix, and Kubernetes namespace.

Trust policy

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<EKS_REGION>.amazonaws.com/id/<EKS_OIDC_ID>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.<EKS_REGION>.amazonaws.com/id/<EKS_OIDC_ID>:aud": "sts.amazonaws.com",
          "oidc.eks.<EKS_REGION>.amazonaws.com/id/<EKS_OIDC_ID>:sub": "system:serviceaccount:<K8S_NAMESPACE>:auditserver-privacera-sa"
        }
      }
    }
  ]
}

SQS permission policy

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SqsPrivaceraAuditQueues",
      "Effect": "Allow",
      "Action": [
        "sqs:SendMessage",
        "sqs:GetQueueUrl",
        "sqs:GetQueueAttributes",
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:PurgeQueue"
      ],
      "Resource": "arn:aws:sqs:*:<AWS_ACCOUNT_ID>:<AUDIT_QUEUE_PREFIX>*"
    }
  ]
}

Only sqs:SendMessage is required to publish audits. The other actions are included for operators who need to inspect or clean up the queue from inside the Audit Server pod, and can be removed if your security model does not allow them.

Configure Privacera Manager

Set these variables in custom-vars/vars.auditserver.yml (copy from sample-vars/vars.auditserver.yml if needed):

Property Description
AUDITSERVER_USE_POD_IAM_ROLE Set to "true" to use the dedicated Audit Server ServiceAccount for IRSA.
AUDITSERVER_IAM_ROLE_ARN ARN of the IAM role you created (for example, arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>).

Then apply the change with Privacera Manager and restart Audit Server.

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Validation

Verify that the IAM role is attached to the Audit Server pod through its ServiceAccount:

Bash
1
2
kubectl -n <K8S_NAMESPACE> get serviceaccount auditserver-privacera-sa \
  -o jsonpath='{.metadata.annotations.eks\.amazonaws\.com/role-arn}{"\n"}'

The command returns the ARN you set in AUDITSERVER_IAM_ROLE_ARN.