Create IAM Role for ExternalDNS

In this section you will create an IAM role for the service account that ExternalDNS will run with. ExternalDNS will need this in order to have permissions to manage DNS records on your Amazon Route 53 hosted zone.

Choose one of the following options to create an IAM role for ExternalDNS:

Check Your Environment

To create this role, you are going to deploy a CloudFormation stack. When working with AWS CloudFormation stacks to manage resources, not only do you need sufficient permissions on AWS CloudFormation, but also on the underlying resources that are defined in the template.

In order to create an IAM role with proper IAM policies attached to it for ExternalDNS using AWS CloudFormation you need permissions for the following actions:

  • Deploy AWS CloudFormation stacks.
  • Create IAM policies.
  • Create IAM roles.

Note

If you do not have the above permissions, contact your AWS administrator to grant sufficient permissions to your IAM user or deploy the below AWS CloudFormation stack for you.

Option 1: Create IAM Role for ExternalDNS Automatically (preferred)

Create an IAM role for ExternalDNS by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-alb-iam-edns
../../../../_images/eks-alb-iam-edns.png

Proceed to the Summary section.

Option 2: Create IAM Role for ExternalDNS Manually

If you want to create an IAM role for ExternalDNS manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster,\ > eks-identity})
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \ > EKS_CLUSTER EKS_CLUSTER_OIDC
  3. Specify the IAM policy name for ExternalDNS:

    root@rok-tools:~/ops/deployments# export EKS_ALB_IAM_EDNS_POLICY=rok\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-edns
  4. Verify that the IAM policy name you specified is not longer than 128 characters:

    root@rok-tools:~/ops/deployments# [[ ${#EKS_ALB_IAM_EDNS_POLICY} -le 128 ]] && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    Go back to step 3 and specify a shorter name. Ensure the new name is not already in use.

  5. Specify the IAM role name and description for ExternalDNS:

    root@rok-tools:~/ops/deployments# export EKS_ALB_IAM_EDNS_ROLE=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-edns
    root@rok-tools:~/ops/deployments# export EKS_ALB_IAM_EDNS_ROLE_DESC=ExternalDNS
  6. Verify that the IAM role name you specified is not longer than 64 characters:

    root@rok-tools:~/ops/deployments# [[ ${#EKS_ALB_IAM_EDNS_ROLE} -le 64 ]] && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    Go back to step 5 and specify a shorter name. Ensure the new name is not already in use.

  7. Specify the service account name and namespace that ExternalDNS will run with:

    root@rok-tools:~/ops/deployments# export EKS_ALB_IAM_EDNS_SA_NAMESPACE=default
    root@rok-tools:~/ops/deployments# export EKS_ALB_IAM_EDNS_SA_NAME=external-dns
  8. Set the name of the CloudFormation stack you will deploy:

    root@rok-tools:~/ops/deployments# export EKS_ALB_IAM_EDNS_CF=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-edns
  9. Verify that the CloudFormation stack name you specified is not longer than 128 characters:

    root@rok-tools:~/ops/deployments# [[ ${#EKS_ALB_IAM_EDNS_CF} -le 128 ]] && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    Go back to step 8 and specify a shorter name. Ensure the new name is not already in use.

  10. Generate the AWS CloudFormation stack:

    root@rok-tools:~/ops/deployments# j2 rok/eks/eks-alb-edns-resources.yaml.j2 \ > -o rok/eks/eks-alb-edns-resources.yaml

    Alternatively, download the eks-alb-edns-resources CloudFormation template provided below and use it locally.

    eks-alb-edns-resources.yaml.j2
    1AWSTemplateFormatVersion: "2010-09-09"
    2
    3Description: Amazon EKS - ExternalDNS IAM Role and Policy
    4-37
    4
    5Metadata:
    6 Rok::StackName: {{EKS_ALB_IAM_EDNS_CF}}
    7
    8Resources:
    9 RokEDNSRole:
    10 Type: AWS::IAM::Role
    11 Properties:
    12 RoleName: {{EKS_ALB_IAM_EDNS_ROLE}}
    13 AssumeRolePolicyDocument:
    14 Version: '2012-10-17'
    15 Statement:
    16 - Effect: Allow
    17 Action: sts:AssumeRoleWithWebIdentity
    18 Principal:
    19 Federated: arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/{{EKS_CLUSTER_OIDC}}
    20 Condition:
    21 StringEquals:
    22 {{EKS_CLUSTER_OIDC}}:sub: system:serviceaccount:{{EKS_ALB_IAM_EDNS_SA_NAMESPACE}}:{{EKS_ALB_IAM_EDNS_SA_NAME}}
    23 Description: {{EKS_ALB_IAM_EDNS_ROLE_DESC}}
    24 ManagedPolicyArns:
    25 - Ref: RokEDNSPolicy
    26 RokEDNSPolicy:
    27 Type: AWS::IAM::ManagedPolicy
    28 Properties:
    29 ManagedPolicyName: {{EKS_ALB_IAM_EDNS_POLICY}}
    30 PolicyDocument:
    31 Version: '2012-10-17'
    32 Statement:
    33 - Effect: Allow
    34 Action: route53:ChangeResourceRecordSets
    35 Resource: arn:aws:route53:::hostedzone/*
    36 - Effect: Allow
    37 Action:
    38 - route53:ListHostedZones
    39 - route53:ListResourceRecordSets
    40 Resource: "*"
  11. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.eks-alb-iam-edns.j2 \ > -o deploy/env.eks-alb-iam-edns
  12. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Create IAM Role for ExternalDNS"
  13. Deploy the CloudFormation stack:

    root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${EKS_ALB_IAM_EDNS_CF?} \ > --template-file rok/eks/eks-alb-edns-resources.yaml \ > --capabilities CAPABILITY_NAMED_IAM Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - rok-us-west-2-arrikto-cluster-edns

    Troubleshooting

    AccessDenied

    If the above command fails with an error message similar to the following:

    An error occurred (AccessDenied) when calling the DescribeStacks operation: User: arn:aws:iam::123456789012:user/user is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-west-2:123456789012:stack/rok-us-west-2-arrikto-cluster-edns

    it means that your IAM user does not have sufficient permissions to perform an action necessary to deploy an AWS CloudFormation stack.

    To proceed, Check Your Environment and contact your AWS administrator to grant sufficient permissions to your IAM user or deploy the AWS CloudFormation stack for you.

    Failed to create/update the stack

    If the above command fails with an error message similar to the following:

    Failed to create/update the stack. Run the following command to fetch the list of events leading up to the failure aws cloudformation describe-stack-events --stack-name rok-us-west-2-arrikto-cluster-edns

    describe the events of the CloudFormation stack to identify the root cause of the failure:

    root@rok-tools:~/ops/deployments# aws cloudformation describe-stack-events --stack-name ${EKS_ALB_IAM_EDNS_CF?}
    • A stack event like the following:

      { "StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/rok-us-west-2-arrikto-cluster-edns/599bc930-7b3f-11eb-ac1c-029efe3a90a0", "EventId": "RokEDNSRole-CREATE_FAILED-2021-03-02T10:09:27.457Z", "StackName": "rok-us-west-2-arrikto-cluster-edns", "LogicalResourceId": "RokEDNSRole", "PhysicalResourceId": "", "ResourceType": "AWS::IAM::Role", "Timestamp": "2021-03-02T10:09:27.457000+00:00", "ResourceStatus": "CREATE_FAILED", "ResourceStatusReason": "rok-us-west-2-arrikto-cluster-edns already exists", "ResourceProperties": "{\"ManagedPolicyArns\":[\"arn:aws:iam::123456789012:policy/rok-us-west-2-arrikto-cluster-edns\"],\"RoleName\":\"rok-us-west-2-arrikto-cluster-edns\",\"Description\":\"ExternalDNS\",\"AssumeRolePolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Condition\":{\"StringEquals\":{\"oidc.eks.us-west-2.amazonaws.com/id/352A7999E682D224D5A47B738D375237:sub\":\"system:serviceaccount:default:external-dns\"}},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/352A7999E682D224D5A47B738D375237\"}}]}}" }

      means that the IAM Role or the IAM Policy that the AWS CloudFormation stack defines already exist, leading to name conflicts.

      To proceed, go back to step 3, specify a different name for the resources that already exist and follow the rest of the guide.

    • A stack event like the following:

      { "StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/rok-us-west-2-arrikto-cluster-edns/415eef80-7b46-11eb-b047-06980f530fec", "EventId": "RokEDNSRole-CREATE_FAILED-2021-03-02T10:58:54.216Z", "StackName": "rok-us-west-2-arrikto-cluster-edns", "LogicalResourceId": "RokEDNSRole", "PhysicalResourceId": "", "ResourceType": "AWS::IAM::Role", "Timestamp": "2021-03-02T10:58:54.216000+00:00", "ResourceStatus": "CREATE_FAILED", "ResourceStatusReason": "API: iam:CreateRole User: arn:aws:iam::123456789012:user/user is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789012:role/rok-us-west-2-arrikto-cluster-edns", "ResourceProperties": "{\"ManagedPolicyArns\":[\"arn:aws:iam::123456789012:policy/rok-us-west-2-arrikto-cluster-edns\"],\"RoleName\":\"rok-us-west-2-arrikto-cluster-edns\",\"Description\":\"ExternalDNS\",\"AssumeRolePolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Condition\":{\"StringEquals\":{\"oidc.eks.us-west-2.amazonaws.com/id/352A7999E682D224D5A47B738D375237:sub\":\"system:serviceaccount:default:external-dns\"}},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/352A7999E682D224D5A47B738D375237\"}}]}}" }

      means that your IAM user does not have sufficient permissions to create the resources that the AWS CloudFormation stack defines.

      To proceed, Check Your Environment and contact your AWS administrator to grant your IAM user sufficient permissions or deploy the AWS CloudFormation stack for you.

    ValidationError

    If the above command fails with an error message similar to the following:

    An error occurred (ValidationError) when calling the CreateChangeSet operation: Stack:arn:aws:cloudformation:us-west-2:123456789012:stack/rok-us-west-2-arrikto-cluster-edns/671606f0-eb2b-11eb-8afb-0217413c9ed2 is in ROLLBACK_COMPLETE state and can not be updated.

    delete the stack and deploy it again.

  14. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/release-2.0/eks-alb-iam-edns \ > -m "Create IAM Role for ExternalDNS"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-alb-iam-edns})
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID EKS_ALB_IAM_EDNS_ROLE
  3. Verify that the IAM role exists:

    root@rok-tools:~/ops/deployments# aws iam get-role \ > --role-name ${EKS_ALB_IAM_EDNS_ROLE?} \ > --query Role.RoleName \ > --output text && echo OK rok-us-west-2-arrikto-cluster-edns OK
  4. Verify that the role has the necessary permissions to manage DNS records on your Amazon Route 53 hosted zone, that is, the output of the following commands is allowed :

    root@rok-tools:~/ops/deployments# aws iam simulate-principal-policy \ > --cli-input-yaml "$(j2 rok/eks/can-i/eks-alb-iam-edns-change.yaml.j2)" \ > | jq -r '.EvaluationResults[].EvalDecision' \ > | sort -u allowed
    root@rok-tools:~/ops/deployments# aws iam simulate-principal-policy \ > --cli-input-yaml "$(j2 rok/eks/can-i/eks-alb-iam-edns-list.yaml.j2)" \ > | jq -r '.EvaluationResults[].EvalDecision' \ > | sort -u allowed

    Troubleshooting

    Output contains ‘implicitDeny’ or ‘explicitDeny’

    If the output of simulate-principal-policy contains implicitDeny or explicitDeny, this means that the IAM role does not have sufficient permissions to manage DNS records on your Amazon Route 53 hosted zone. To proceed, create an IAM role following the Procedure.

Summary

You have successfully created the IAM role for ExternalDNS.

What’s Next

The next step is to deploy ExternalDNS.