Enable EKS IRSA
On this page
AWS Elastic Kubernetes Service (EKS) IAM Roles for Service Accounts (IRSA) authentication can be used to allow SingleStore cluster pods to communicate with S3 buckets (data, backup and pipelines).
This applies to Operator deployments only and is supported for SingleStore Self-Managed Engine version >= 8.
The following steps enable IRSA:
-
Set the
enable_global variable toeks_ irsa ON.SET GLOBAL enable_eks_irsa = ON -
Create an IAM role with proper policies attached to choose which services the role can access and the scope of access for those services.
-
Create a Kubernetes service account with annotation using the IAM role arn.
apiVersion: v1 kind: ServiceAccount metadata: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<aws_account_id>:role/<role_name> name: <service_account_name> # Must be set to the name of the cluster -
Update the Memsql CR spec with the service account name from the step above.
apiVersion: v1alpha1 type: MemsqlCluster metadata: name: <name> # This is the name of the cluster spec: ... serviceAccountName: <service_account_name> backupSpec: credsMode: "eks_irsa" CloudServiceProvider: "AWS" bucketName: "<bucket_name>" s3Region: "<bucket_region; e.g. us-east-1>" -
Operator will restart the nodes and mount the JWT token to each node.
-
Update the SQL statements to use the hint
creds_mode: eks_ irsa -
Data:
CREATE LINK <db_name> AS S3 CREDENTIALS '{}' CONFIG '{"region":"us-east-1", "creds_mode":"eks_irsa"}' -
Pipelines:
CREATE PIPELINE <pipeline_name> AS LOAD DATA S3 'path' CONFIG '{"region": "us-east-1", "creds_mode": "eks_irsa"} -
Backup:
BACKUP DATABASE <db_name> TO S3 "<bucket_name/path>" CONFIG '{"region":"us-east-1", “creds_mode”: “eks_irsa”}' CREDENTIALS '{}'; -
Restore:
RESTORE DATABASE <db_name> FROM S3 'bucket_name/path' CONFIG '{"region":"us-east-1", "creds_mode":"eks_irsa"}' CREDENTIALS '{}';
-
Using EKS IRSA in Pipeline Definitions in SingleStore Helios
In SingleStore Helios before creating the pipeline, you need to configure the roles permissions and cross account access.
Refer:
Cloud Workload Identity and Delegated Entities to create cross account access.
The section «Use Cloud Workload Identity with S3 Pipelines» in Load Data from Amazon Web Services (AWS) S3 to create an S3 pipeline that authenticates using the cloud workload identity.
and
The section «Create an IAM Policy Using JSON» Load Data from Amazon Web Services (AWS) S3 for assigning permissions/policies.
Once the delegated entity is configured, create your pipeline using creds_ and provide the role_ that matches the delegated entity:
CREATE PIPELINE s3_pipeline AS
LOAD DATA S3 's3://<bucket-name>/<path>/'
CONFIG '{
"region": "us-east-1",
"creds_mode": "eks_irsa"
}'
CREDENTIALS '{
"role_arn":
"arn:aws:iam::123456789012:role/singlestore-s3-pipeline"
}'
INTO TABLE <table_name>
FIELDS TERMINATED BY ',';Then start the pipeline:
START PIPELINE s3_pipeline;Last modified: February 26, 2026