Merge pull request #818 from ruzickap/update_docs

Use eksctl when creating the IAM role and trust relationship
crossplane-contrib · Sep 3, 2021 · e0259c0 · e0259c0
2 parents b9894e5 + 6a8e8fe
commit e0259c0
Showing 1 changed file with 32 additions and 20 deletions.
diff --git a/AUTHENTICATION.md b/AUTHENTICATION.md
@@ -24,8 +24,8 @@ large node pool.
 
 1. Connect to your EKS cluster
 
-```
-aws eks --region <region> update-kubeconfig --name <cluster-name>
+```bash
+aws eks --region "${AWS_REGION}" update-kubeconfig --name "${CLUSTER_NAME}"
 ```
 
 2. Get AWS account information
@@ -34,7 +34,7 @@ Get AWS account information and pick an IAM role name. These will be used to
 setup an OIDC provider and inject credentials into the provider-aws controller
 pod.
 
-```
+```bash
 export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
 export IAM_ROLE_NAME=provider-aws # name for IAM role, can be anything you want
 ```
@@ -43,7 +43,7 @@ export IAM_ROLE_NAME=provider-aws # name for IAM role, can be anything you want
 
 Install Crossplane from `stable` channel:
 
-```
+```bash
 kubectl create namespace crossplane-system
 helm repo add crossplane-stable https://charts.crossplane.io/stable
 
@@ -55,7 +55,7 @@ CLI](https://crossplane.io/docs/v1.0/getting-started/install-configure.html#inst
 but we will do so manually so that we can also create and reference a
 `ControllerConfig`:
 
-```
+```bash
 cat > provider-config.yaml <<EOF
 apiVersion: pkg.crossplane.io/v1alpha1
 kind: ControllerConfig
@@ -84,7 +84,7 @@ kubectl apply -f provider-config.yaml
 
 Make sure that the appropriate `ServiceAccount` exists:
 
-```
+```bash
 kubectl get serviceaccounts -n crossplane-system
 ```
 
@@ -94,7 +94,7 @@ controller `Pod` running if you execute `kubectl get pods -n crossplane-system`.
 Set environment variables to match the name and namespace of this
 `ServiceAccount`:
 
-```
+```bash
 SERVICE_ACCOUNT_NAMESPACE=crossplane-system
 SERVICE_ACCOUNT_NAME=provider-aws-<YOUR-SERVICE-ACCOUNT-EXTENSION>
 ```
@@ -104,21 +104,33 @@ SERVICE_ACCOUNT_NAME=provider-aws-<YOUR-SERVICE-ACCOUNT-EXTENSION>
 *If you do not have `eksctl` installed you may use the [AWS
 Console](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)*
 
+```bash
+eksctl utils associate-iam-oidc-provider --cluster "${CLUSTER_NAME}" --region "${AWS_REGION}" --approve
 ```
-eksctl utils associate-iam-oidc-provider --cluster <cluster-name> --region <region> --approve
+
+6. Create IAM Role that provider-aws will use using `eksctl`
+
+Create IAM role with trust relationship:
+
+```bash
+eksctl create iamserviceaccount --cluster "${CLUSTER_NAME}" --region "${AWS_REGION}" --name="$SERVICE_ACCOUNT_NAME" --namespace="$SERVICE_ACCOUNT_NAMESPACE" --role-name="$IAM_ROLE_NAME" --role-only --attach-policy-arn="arn:aws:iam::aws:policy/AdministratorAccess" --approve
 ```
 
-6. Create IAM Role that provider-aws will use
+> The variable `${SERVICE_ACCOUNT_NAME}` contains default service account name
+> and changes with every provider release.
+
+6. Create IAM Role that provider-aws will use manually (skip if you created IAM
+   Role using `eksctl`)
 
 Set environment variables that will be used in subsequent commands:
 
-```
-OIDC_PROVIDER=$(aws eks describe-cluster --name <cluster-name> --region <region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
+```bash
+OIDC_PROVIDER=$(aws eks describe-cluster --name "${CLUSTER_NAME}" --region "${AWS_REGION}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
 ```
 
 Create trust relationship for IAM role:
 
-```
+```bash
 read -r -d '' TRUST_RELATIONSHIP <<EOF
 {
   "Version": "2012-10-17",
@@ -142,34 +154,34 @@ echo "${TRUST_RELATIONSHIP}" > trust.json
 ```
 
 > The default service account name is the provider-aws revision and changes with every provider release. The conditional above wildcard matches the default service account name in order to keep the role consistent across provider releases.
-The above policy assumes a service account name of `provider-aws-*` 
+The above policy assumes a service account name of `provider-aws-*`
 
 Create IAM role:
 
-```
-aws iam create-role --role-name $IAM_ROLE_NAME --assume-role-policy-document file://trust.json --description "IAM role for provider-aws"
+```bash
+aws iam create-role --role-name "${IAM_ROLE_NAME}" --assume-role-policy-document file://trust.json --description "IAM role for provider-aws"
 ```
 
 Associate a policy with the IAM role. This example uses `AdministratorAccess`,
 but you should select a policy with the minimum permissions required to
 provision your resources.
 
-```
-aws iam attach-role-policy --role-name $IAM_ROLE_NAME --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess
+```bash
+aws iam attach-role-policy --role-name "${IAM_ROLE_NAME}" --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess
 ```
 
-7. Create `ProviderConfig`
+1. Create `ProviderConfig`
 
 Ensure that `ProviderConfig` resource kind was created:
 
-```
+```bash
 kubectl explain providerconfig --api-version='aws.crossplane.io/v1beta1'
 ```
 
 To utilize those credentials to provision new resources, you must create a
 `ProviderConfig` with `source: InjectedIdentity`:
 
-```
+```bash
 cat > provider-config.yaml <<EOF
 apiVersion: aws.crossplane.io/v1beta1
 kind: ProviderConfig