Skip to content
This repository has been archived by the owner on Apr 7, 2022. It is now read-only.

cross-account samples #3

Closed
1 task done
pahud opened this issue May 31, 2019 · 1 comment
Closed
1 task done

cross-account samples #3

pahud opened this issue May 31, 2019 · 1 comment
Assignees
@pahud
Labels
sample

Comments

@pahud
Copy link
Contributor

pahud commented May 31, 2019
edited
Loading

  • provide a cross-account sample
@pahud pahud self-assigned this May 31, 2019
@pahud
Copy link
Contributor Author

pahud commented May 31, 2019
edited
Loading

OK here we go.

  • Lambda function is in AWS Account A
  • EKS cluster in AWS Account B

We need to make sure the Lambda execution role is configured in the auth-auth ConfigMap of Amazon EKS in Account B.

Let's create a new Lambda role for Account A

image
Please note the Role Arn. We will use it later.

create Amazon EKS in Account B with eksctl

In account B

$ kubectl get no
NAME                                                STATUS   ROLES    AGE     VERSION
ip-192-168-44-190.ap-northeast-1.compute.internal   Ready    <none>   2m52s   v1.12.7
ip-192-168-64-12.ap-northeast-1.compute.internal    Ready    <none>   2m55s   v1.12.7

edit the aws-auth ConfigMap in account B

$ kubectl -n kube-system edit cm/aws-auth

Your auth-auth should pretty much looks like this

$ kubectl -n kube-system describe cm/aws-auth
Name:         aws-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Data
====
mapRoles:
----
- rolearn: arn:aws:iam::ACCOUNT_B:role/eksctl-myeks2-nodegroup-ng-8f82c3-NodeInstanceRole-1HG8UTEND4HGA
  username: system:node:{{EC2PrivateDNSName}}
  groups:
    - system:bootstrappers
    - system:nodes
- rolearn: arn:aws:iam::ACCOUNT_A:role/LambdaEKSDemoRole
  username: LambdaEKSDemo
  groups:
    - system:masters

Events:  <none>

generate kubeconfig for Lambda(A) from account B

In account B:

$ aws eks update-kubeconfig --name myeks2 --dry-run > ~/.kube/lambda_config

~/.kube/lambda_config would be exactly the kubeconfig for Lambda in account A.

update Lambda function

Make sure your Lambda run as the IAM role we created in the beginning.

Do not run the aws eks update-kubeconfig in lambda, instead, use the provided kubeconfig for lambda like this:

image

image

What's Next

You can store the bsae64-encoded kubeconfig as Lambda environment variable like this:

# generate a base64 encoded kubeconfig with no line wrapping
aws eks update-kubeconfig --name myeks2 --dry-run | base64 -w0

copy the content and paste into lambda environment variable

image

image

@pahud pahud added the sample label May 31, 2019
@pahud pahud closed this as completed May 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pahud pahud

Labels
sample
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pahud