tare/dataplane/identity/bind
tare dataplane identity bind
Bind the data plane's signing ServiceAccount to an AWS IAM role using IRSA so
the Envoy AI Gateway reaches Bedrock with the pod's role (the AWS SDK default
credential chain) instead of static keys. Pairs with a credential-less AWS
provider (fraser#4520): the data plane reconciles it to a region-only
BackendSecurityPolicy and the SDK resolves whatever identity the cluster
provides.
The signing container is ai-gateway-extproc in the egress pod, but the EKS
pod-identity webhook injects credentials into every container once the SA is
annotated, so binding the egress SA is enough.
Prerequisite: the cluster's IAM OIDC provider must be registered (eksctl's
--with-oidc, or "eksctl utils associate-iam-oidc-provider"). --create-iam
checks this and reports it rather than failing opaquely.
Before applying, a read-only preflight confirms the signing SA exists and the
current context can patch ServiceAccounts and Deployments (skip with
--skip-preflight). After binding, --wait polls the rollout and confirms
credentials were injected into the egress pod.
Examples:
# Create the role + trust + bedrock policy, then bind it
tare dataplane identity bind --type irsa --create-iam \
--cluster my-eks --region us-east-1
# Bind an IAM role you already created
tare dataplane identity bind --type irsa \
--role-arn arn:aws:iam::123456789012:role/my-eks-bedrock-dp
# Preview the actions without applying
tare dataplane identity bind --type irsa --create-iam \
--cluster my-eks --region us-east-1 --dry-run
# Verify the binding is in place (read-only; no changes)
tare dataplane identity bind --check
Usage:
tare dataplane identity bind [flags]
Flags:
--check Read-only: report whether the SA is bound and credentials are injected; make no changes
--cluster string EKS cluster name (required with --create-iam)
--context string kubeconfig context (default: current context)
--create-iam Create/update the role, OIDC web-identity trust, and bedrock:InvokeModel policy
--dry-run Print the planned actions without applying them (--create-iam still queries AWS read-only to resolve the ARN and verify the OIDC prereq)
--namespace string Namespace holding the signing ServiceAccount (default "tars-dataplane")
--region string AWS region (required with --create-iam)
--role-arn string Existing IAM role ARN to bind (annotate-only; omit with --create-iam)
--role-name string Role name to create with --create-iam (default: <cluster>-bedrock-dp)
--service-account string Signing ServiceAccount to bind (the egress pod's SA) (default "egress")
--skip-preflight Skip the read-only cluster preflight (SA exists + RBAC can-i)
--timeout string Timeout for --wait rollout (e.g. 90s, 2m) (default "2m")
--type string Identity mechanism (irsa; pod-identity tracked in fraser#4816) (default "irsa")
--wait After binding, wait for the rollout and confirm credentials propagated (default true)
--yes Skip the confirmation prompt; required in non-TTY contexts
Global Flags:
-q, --quiet Suppress progress output; only errors and the final summary go to stderr
-v, --verbose Verbose output: plain-mode progress lines plus full per-blob chunk logs to stderr