Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use eksctl when creating the IAM role and trust relationship #818

Merged
merged 1 commit into from
Sep 3, 2021
Merged

Use eksctl when creating the IAM role and trust relationship #818

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 32 additions & 20 deletions AUTHENTICATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ large node pool.

1. Connect to your EKS cluster

```
aws eks --region <region> update-kubeconfig --name <cluster-name>
```bash
aws eks --region "${AWS_REGION}" update-kubeconfig --name "${CLUSTER_NAME}"
```

2. Get AWS account information
Expand All @@ -34,7 +34,7 @@ Get AWS account information and pick an IAM role name. These will be used to
setup an OIDC provider and inject credentials into the provider-aws controller
pod.

```
```bash
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
export IAM_ROLE_NAME=provider-aws # name for IAM role, can be anything you want
```
Expand All @@ -43,7 +43,7 @@ export IAM_ROLE_NAME=provider-aws # name for IAM role, can be anything you want

Install Crossplane from `stable` channel:

```
```bash
kubectl create namespace crossplane-system
helm repo add crossplane-stable https://charts.crossplane.io/stable

Expand All @@ -55,7 +55,7 @@ CLI](https://crossplane.io/docs/v1.0/getting-started/install-configure.html#inst
but we will do so manually so that we can also create and reference a
`ControllerConfig`:

```
```bash
cat > provider-config.yaml <<EOF
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
Expand Down Expand Up @@ -84,7 +84,7 @@ kubectl apply -f provider-config.yaml

Make sure that the appropriate `ServiceAccount` exists:

```
```bash
kubectl get serviceaccounts -n crossplane-system
```

Expand All @@ -94,7 +94,7 @@ controller `Pod` running if you execute `kubectl get pods -n crossplane-system`.
Set environment variables to match the name and namespace of this
`ServiceAccount`:

```
```bash
SERVICE_ACCOUNT_NAMESPACE=crossplane-system
SERVICE_ACCOUNT_NAME=provider-aws-<YOUR-SERVICE-ACCOUNT-EXTENSION>
```
Expand All @@ -104,21 +104,33 @@ SERVICE_ACCOUNT_NAME=provider-aws-<YOUR-SERVICE-ACCOUNT-EXTENSION>
*If you do not have `eksctl` installed you may use the [AWS
Console](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)*

```bash
eksctl utils associate-iam-oidc-provider --cluster "${CLUSTER_NAME}" --region "${AWS_REGION}" --approve
```
eksctl utils associate-iam-oidc-provider --cluster <cluster-name> --region <region> --approve

6. Create IAM Role that provider-aws will use using `eksctl`

Create IAM role with trust relationship:

```bash
eksctl create iamserviceaccount --cluster "${CLUSTER_NAME}" --region "${AWS_REGION}" --name="$SERVICE_ACCOUNT_NAME" --namespace="$SERVICE_ACCOUNT_NAMESPACE" --role-name="$IAM_ROLE_NAME" --role-only --attach-policy-arn="arn:aws:iam::aws:policy/AdministratorAccess" --approve
```

6. Create IAM Role that provider-aws will use
> The variable `${SERVICE_ACCOUNT_NAME}` contains default service account name
> and changes with every provider release.

6. Create IAM Role that provider-aws will use manually (skip if you created IAM
Role using `eksctl`)

Set environment variables that will be used in subsequent commands:

```
OIDC_PROVIDER=$(aws eks describe-cluster --name <cluster-name> --region <region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
```bash
OIDC_PROVIDER=$(aws eks describe-cluster --name "${CLUSTER_NAME}" --region "${AWS_REGION}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
```

Create trust relationship for IAM role:

```
```bash
read -r -d '' TRUST_RELATIONSHIP <<EOF
{
"Version": "2012-10-17",
Expand All @@ -142,34 +154,34 @@ echo "${TRUST_RELATIONSHIP}" > trust.json
```

> The default service account name is the provider-aws revision and changes with every provider release. The conditional above wildcard matches the default service account name in order to keep the role consistent across provider releases.
The above policy assumes a service account name of `provider-aws-*`
The above policy assumes a service account name of `provider-aws-*`

Create IAM role:

```
aws iam create-role --role-name $IAM_ROLE_NAME --assume-role-policy-document file://trust.json --description "IAM role for provider-aws"
```bash
aws iam create-role --role-name "${IAM_ROLE_NAME}" --assume-role-policy-document file://trust.json --description "IAM role for provider-aws"
```

Associate a policy with the IAM role. This example uses `AdministratorAccess`,
but you should select a policy with the minimum permissions required to
provision your resources.

```
aws iam attach-role-policy --role-name $IAM_ROLE_NAME --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess
```bash
aws iam attach-role-policy --role-name "${IAM_ROLE_NAME}" --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess
```

7. Create `ProviderConfig`
1. Create `ProviderConfig`

Ensure that `ProviderConfig` resource kind was created:

```
```bash
kubectl explain providerconfig --api-version='aws.crossplane.io/v1beta1'
```

To utilize those credentials to provision new resources, you must create a
`ProviderConfig` with `source: InjectedIdentity`:

```
```bash
cat > provider-config.yaml <<EOF
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
Expand Down