Summary Prerequisites and limitations Architecture Tools Best practices Epics Troubleshooting Related resources

Set up event-driven auto scaling in Amazon EKS by using Amazon EKS Pod Identity and KEDA

Dipen Desai, Abhay Diwan, Kamal Joshi, and Mahendra Revanasiddappa, Amazon Web Services

Summary

Orchestration platforms, such as Amazon Elastic Kubernetes Service (Amazon EKS), have streamlined the lifecycle management of container-based applications. This helps organizations focus on building, securing, operating, and maintaining container-based applications. As event-driven deployments become more common, organizations are more frequently scaling Kubernetes deployments based on various event sources. This method, combined with auto scaling, can result in significant cost savings by providing on-demand compute resources and efficient scaling that is tailored to application logic.

KEDA is a Kubernetes-based event-driven autoscaler. KEDA helps you scale any container in Kubernetes based on the number of events that need to be processed. It is lightweight and integrates with any Kubernetes cluster. It also works with standard Kubernetes components, such as Horizontal Pod Autoscaling (HPA). KEDA also offers TriggerAuthentication, which is a feature that helps you delegate authentication. It allows you to describe authentication parameters that are separate from the ScaledObject and the deployment containers.

AWS provides AWS Identity and Access Management (IAM) roles that support diverse Kubernetes deployment options, including Amazon EKS, Amazon EKS Anywhere, Red Hat OpenShift Service on AWS (ROSA), and self-managed Kubernetes clusters on Amazon Elastic Compute Cloud (Amazon EC2). These roles use IAM constructs, such as OpenID Connect (OIDC) identity providers and IAM trust policies, to operate across different environments without relying directly on Amazon EKS services or APIs. For more information, see IAM roles for service accounts in the Amazon EKS documentation.

Amazon EKS Pod Identity simplifies the process for Kubernetes service accounts to assume IAM roles without requiring OIDC providers. It provides the ability to manage credentials for your applications. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account. This helps you use an IAM role across multiple clusters and simplifies policy management by enabling the reuse of permission policies across IAM roles.

By implementing KEDA with Amazon EKS Pod Identity, businesses can achieve efficient event-driven auto scaling and simplified credential management. Applications scale based on demand, which optimizes resource utilization and reduces costs.

This pattern helps you integrate Amazon EKS Pod Identity with KEDA. It showcases how you can use the keda-operator service account and delegate authentication with TriggerAuthentication. It also describes how to set up a trust relationship between an IAM role for the KEDA operator and an IAM role for the application. This trust relationship allows KEDA to monitor messages in the event queues and adjust scaling for the destination Kubernetes objects.

Prerequisites and limitations

Prerequisites

AWS Command Line Interface (AWS CLI) version 2.13.17 or later, installed
Python version 3.11.5 or later, installed
AWS SDK for Python (Boto3) version 1.34.135 or later, installed
Helm version 3.12.3 or later, installed
kubectl version 1.25.1 or later, installed
Docker Engine version 26.1.1 or later, installed
An Amazon EKS cluster version 1.24 or later, created
Prerequisites for creating the Amazon EKS Pod Identity agent, met

Limitations

It is required that you establish a trust relationship between the keda-operator role and the keda-identity role. Instructions are provided in the Epics section of this pattern.

Architecture

In this pattern, you create the following AWS resources:

Amazon Elastic Container Registry (Amazon ECR) repository – In this pattern, this repo is named keda-pod-identity-registry. This private repo is used to store Docker images of the sample application.
Amazon Simple Queue Service (Amazon SQS) queue – In this pattern, this queue is named event-messages-queue. The queue acts as a message buffer that collects and stores incoming messages. KEDA monitors the queue metrics, such as message count or queue length, and it automatically scales the application based on these metrics.
IAM role for the application – In this pattern, this role is named keda-identity. The keda-operator role assumes this role. This role allows access to the Amazon SQS queue.
IAM role for the KEDA operator – In this pattern, this role is named keda-operator. The KEDA operator uses this role to make the required AWS API calls. This role has permissions to assume the keda-identity role. Because of the trust relationship between the keda-operator and the keda-identity roles, the keda-operator role has Amazon SQS permissions.

Through the TriggerAuthentication and ScaledObject Kubernetes custom resources, the operator uses the keda-identity role to connect with an Amazon SQS queue. Based on the queue size, KEDA automatically scales the application deployment. It adds 1 pod for every 5 unread messages in the queue. In the default configuration, if there are no unread messages in the Amazon SQS queue, the application scales down to 0 pods. The KEDA operator monitors the queue at an interval that you specify.

The following image shows how you use Amazon EKS Pod Identity to provide the keda-operator role with secure access to the Amazon SQS queue.

Using KEDA and Amazon EKS Pod Identity to automatically scale a Kubernetes-based application.

The diagram shows the following workflow:

You install the Amazon EKS Pod Identity agent in the Amazon EKS cluster.
You deploy KEDA operator in the KEDA namespace in the Amazon EKS cluster.
You create the keda-operator and keda-identity IAM roles in the target AWS account.
You establish a trust relationship between the IAM roles.
You deploy the application in the security namespace.
The KEDA operator polls messages in an Amazon SQS queue.
KEDA initiates HPA, which automatically scales the application based on the queue size.

Tools

AWS services

Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service that’s secure, scalable, and reliable.
Amazon Elastic Kubernetes Service (Amazon EKS) helps you run Kubernetes on AWS without needing to install or maintain your own Kubernetes control plane or nodes.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
Amazon Simple Queue Service (Amazon SQS) provides a secure, durable, and available hosted queue that helps you integrate and decouple distributed software systems and components.

Other tools

KEDA is a Kubernetes-based event-driven autoscaler.

Code repository

The code for this pattern is available in the GitHub Event-driven auto scaling using EKS Pod Identity and KEDA repository.

Best practices

We recommend that you adhere to the following best practices:

Epics

Task	Description	Skills required
Create the IAM role for the KEDA operator.	Sign in to the AWS Management Console, and then open the IAM console. In the navigation pane, choose Roles. Choose Create role. Choose the Custom trust policy role type. In the Custom trust policy section, enter the following custom trust policy for this role: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] }` On the Add permissions page, choose Next. You do not add any policies to this role. For Role name, enter `keda-operator`. Choose Create role.	AWS administrator
Create the IAM role for the sample application.	In the IAM console, in the navigation pane, choose Roles. Choose Create role. Choose the Custom trust policy role type. In the Custom trust policy section, enter the following custom trust policy for this role. Replace `<account number>` with your target account number: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com", "AWS": "arn:aws:iam::<account number>:role/keda-operator" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] }` On the Add permissions page, add the following AWS managed polices to the role: `AmazonSQSReadOnlyAccess` `AWSLambdaSQSQueueExecutionRole` Choose Next. For Role name, enter `keda-identity`. Choose Create role.	AWS administrator
Create an Amazon SQS queue.	Open the Amazon SQS console. Choose Create queue. For Type, choose Standard. On Create queue page, for Name, enter `event-messages-queue`. Choose Create queue. You do not change any of the default settings for this queue.	General AWS
Create an Amazon ECR repository.	Open the Amazon ECR console. Choose Create repository. For Repository name, enter `keda-pod-identity-registry`. Choose Create repository. You do not change any of the default settings for this repository.	General AWS

Task	Description	Skills required
Deploy the Amazon EKS Pod Identity agent.	For the target Amazon EKS cluster, set up the Amazon EKS Pod Identity agent. Follow the instructions in Set up the Amazon EKS Pod Identity Agent in the Amazon EKS documentation.	AWS DevOps
Deploy KEDA.	Enter the following commands to deploy KEDA on the target Amazon EKS cluster: `# Add Helm Repo for Keda helm repo add kedacore https://kedacore.github.io/charts # Update Helm repo helm repo update # Install Keda helm install keda kedacore/keda --namespace keda --create-namespace` For more information, see Deploying with Helm in the KEDA documentation. After successful deployment, in the output, validate that three deployments are created for the KEDA operator. The following is a sample output: `NAME READY UP-TO-DATE AVAILABLE AGE keda-admission-webhooks 1/1 1 1 89s keda-operator 1/1 1 1 89s keda-operator-metrics-apiserver 1/1 1 1 89s`	DevOps engineer
Assign the IAM role to the Kubernetes service account.	Follow the instructions in Assign an IAM role to a Kubernetes service account in the Amazon EKS documentation. Use the following values: For IAM role, enter `keda-operator`. For Kubernetes namespace, enter `keda`. For Kubernetes service account, enter `keda-operator`.	AWS DevOps
Create a namespace.	Enter the following command to create a `security` namespace in the target Amazon EKS cluster: `kubectl create ns security`	DevOps engineer

Task	Description	Skills required
Clone the application files.	Enter the following command to clone the Event-driven auto scaling using EKS Pod Identity and KEDA repository from GitHub: `git clone https://github.com/aws-samples/event-driven-autoscaling-using-podidentity-and-keda.git`	DevOps engineer
Build the Docker image.	Enter the following command to navigate into the cloned repository: `cd event-driven-autoscaling-using-podidentity-and-keda` Enter the following command to build the Docker image for the sample application: `docker build -t keda-pod-identity-registry .`	DevOps engineer
Push the Docker image to Amazon ECR.	In the terminal where you built the Docker image, enter the following command to log in to Amazon ECR. Replace `<AWS_REGION>` and `<AWS_ACCOUNT_ID>` with values from your AWS environment: `aws ecr get-login-password \ --region <AWS_REGION> \| docker login \ --username AWS \ --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com` Enter the following command to tag the image. Replace `<AWS_REGION>` and `<AWS_ACCOUNT_ID>` with values from your AWS environment: `docker tag keda-pod-identity-registry:latest <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/keda-pod-identity-registry:latest` Enter the following command to push the image to Amazon ECR. Replace `<AWS_REGION>` and `<AWS_ACCOUNT_ID>` with values from your AWS environment: `docker push <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/keda-pod-identity-registry:latest` Note You can find push commands by navigating to the Amazon ECR repository page and then choosing View push commands.	DevOps engineer
Deploy the sample application.	In the cloned repository, open the deploy.yaml file. Replace `<AWS_ACCOUNT_ID>` and `<AWS_REGION>` with values from your environment. Save and close the deploy.yaml file. Enter the following command to deploy the sample application on the target Amazon EKS cluster: `kubectl apply -f deploy.yaml` This command creates a deployment and service account in the cluster.	DevOps engineer
Assign the IAM role to the application service account.	Do one of the following to associate the `keda-identity` IAM role with the service account for the sample application: Follow the instructions in Assign an IAM role to a Kubernetes service account in the Amazon EKS documentation. Use the following values: For IAM role, enter `keda-identity`. For Kubernetes namespace, enter `security`. For Kubernetes service account, enter `my-sqs-read-msgs`. Enter the following AWS CLI command. Replace `<cluster-name>` with the name of the target Amazon EKS cluster, and replace `<role-ARN>` with the Amazon Resource Name (ARN) of the `keda-identity` role: `aws eks create-pod-identity-association \ --cluster-name <cluster-name> \ --role-arn <role-ARN> \ --namespace security \ --service-account my-sqs-read-msgs`	DevOps engineer
Deploy `ScaledObject` and `TriggerAuthentication`.	In the cloned repository, open the keda.yaml file. Replace `{{AWS_ACCOUNT_ID}}` with the ID of your target AWS account. Replace `{{AWS_REGION}}` with your target AWS Region. (Optional) In lines 21–24, update the parameters for the `ScaledObject` scaling policy. See the following for more information about these parameters: pollingInterval cooldownPeriod idleReplicaCount minReplicaCount Save and close the keda.yaml file. Enter the following command to deploy the `ScaledObject` and `TriggerAuthentication` resources: `kubectl -n security apply -f keda.yaml`	DevOps engineer

Task	Description	Skills required
Send messages to the Amazon SQS queue.	Enter the following command to navigate into the cloned repository: `cd event-driven-autoscaling-using-podidentity-and-keda` Enter the following command to send test messages to the Amazon SQS queue: `python sqs_send_msg.py` The sqs_send_msg.py script acts as an application that generates messages for testing auto scaling. Note If you're running Python 3, enter `python3 sqs_send_msg.py`.	DevOps engineer
Monitor the application pods.	In different terminal, enter the following command to monitor the pods: `kubectl -n security get po` For every 5 unread messages in the Amazon SQS queue, KEDA adds one pod. In the output of the previous command, confirm that new pods are being added. The following is a sample output: `kubectl -n security get po NAME READY STATUS RESTARTS AGE q-read-797f4c7589-2bj76 1/1 Running 0 2s q-read-797f4c7589-4zxph 1/1 Running 0 49s q-read-797f4c7589-cg9dt 1/1 Running 0 18s q-read-797f4c7589-slc69 1/1 Running 0 33s` When you are finished testing, in the original terminal, enter CTRL + C (Windows) or CMD + C (macOS). This stops the python sqs_send_msg.py script.	DevOps engineer

Troubleshooting

Issue Solution

Issue	Solution
The KEDA operator cannot scale the application.	Enter the following command to check the logs of the `keda-operator` IAM role: `kubectl logs -n keda -l app=keda-operator -c keda-operator` If there is an `HTTP 403` response code, then the application and the KEDA scaler do not have sufficient permissions to access the Amazon SQS queue. Complete the following steps: Check the IAM policies and statements for the `keda-identity` role to confirm that that queue read access is granted. Validate the trust relationship between the IAM roles. The following is an example: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] }` If there is an `Assume-Role` error, then an Amazon EKS node IAM role is unable to assume the IAM role that is defined for `TriggerAuthentication`. Complete the following steps: Enter the following command to delete the `keda-operator` pod and create a new one: `kubectl delete pod keda-operator-<alphenumeric-value> --namespace keda` Enter the following command to check the identity that the pod assumes: `kubectl describe pod <keda-operator-pod-name> --namespace keda` When the pod successfully restarts, confirm that the following two variables are added to the pod description: `AWS_CONTAINER_CREDENTIALS_FULL_URI` `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE`

The KEDA operator cannot scale the application.

Enter the following command to check the logs of the keda-operator IAM role:


kubectl logs -n keda -l app=keda-operator -c keda-operator

If there is an HTTP 403 response code, then the application and the KEDA scaler do not have sufficient permissions to access the Amazon SQS queue. Complete the following steps:

Check the IAM policies and statements for the keda-identity role to confirm that that queue read access is granted.

Validate the trust relationship between the IAM roles. The following is an example:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

If there is an Assume-Role error, then an Amazon EKS node IAM role is unable to assume the IAM role that is defined for TriggerAuthentication. Complete the following steps:

Enter the following command to delete the keda-operator pod and create a new one:
```
kubectl delete pod keda-operator-<alphenumeric-value> --namespace keda
```
Enter the following command to check the identity that the pod assumes:
```
kubectl describe pod <keda-operator-pod-name> --namespace keda
```
When the pod successfully restarts, confirm that the following two variables are added to the pod description:
- AWS_CONTAINER_CREDENTIALS_FULL_URI
- AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

Related resources

Set up the Amazon EKS Pod Identity Agent (Amazon EKS documentation)
Deploying KEDA (KEDA documentation)
ScaledObject specification (KEDA documentation)
Authentication with TriggerAuthentication (KEDA documentation)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Run stateful workloads with persistent data storage