Create Cloud Identity on AWS

This guide will walk you through creating an IAM role for service accounts so that Rok can assume it.

See also

Choose one of the following options to create the cloud identity for Rok:

What You'll Need

Option 1: Create Cloud Identity Automatically (preferred)

Create a cloud identity for Rok by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from cloudidentity
../../../_images/cloudidentity.png

Proceed to the Summary section.

Option 2: Create Cloud Identity Manually

If you want to create a cloud identity for Rok manually, follow the instructions below.

Procedure

Follow these steps to grant a Rok cluster full access to S3 buckets with a specific prefix, i.e., related to an existing EKS cluster.

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster,\
    > eks-identity})
    
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \
    >   EKS_CLUSTER EKS_CLUSTER_OIDC
    
  3. Set the name of the Rok cluster:

    root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rok
    
  4. Set the namespace in which you will deploy Rok:

    root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rok
    
  5. Set the S3 bucket prefix under which you will grant Rok full access:

    root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=rok-${AWS_ACCOUNT_ID?}\
    > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}\
    > -${ROK_CLUSTER_NAME?}
    
    root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=${AWS_S3_BUCKET_PREFIX\
    > %-rok-rok}
    
  6. Set the name of the IAM role which will grant full access to S3 buckets under the prefix you specified in the previous step:

    root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=rok-${AWS_DEFAULT_REGION?}\
    > -${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
    
    root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=${AWS_S3_ROLE%-rok-rok}
    
  7. Set the name of the CloudFormation stack you will deploy:

    root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=rok\
    > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
    
    root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=${AWS_CF_S3_RESOURCES\
    > %-rok-rok}
    
  8. Generate the AWS CloudFormation stack:

    root@rok-tools:~/ops/deployments# j2 rok/eks/s3-iam-resources.yaml.j2 \
    >   -o rok/eks/s3-iam-resources.yaml
    

    Alternatively, download the s3-iam-resources CloudFormation template provided below and use it locally.

    s3-iam-resources.yaml.j2
    1Metadata:
    2 Rok::StackName: {{AWS_CF_S3_RESOURCES}}
    3
    4-33
    4Resources:
    5 RokS3Role:
    6 Type: AWS::IAM::Role
    7 Properties:
    8 RoleName: {{AWS_S3_ROLE}}
    9 AssumeRolePolicyDocument:
    10 Version: '2012-10-17'
    11 Statement:
    12 - Effect: Allow
    13 Action: sts:AssumeRoleWithWebIdentity
    14 Principal:
    15 Federated: arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/{{EKS_CLUSTER_OIDC}}
    16 Condition:
    17 StringEquals:
    18 {{EKS_CLUSTER_OIDC}}:sub: system:serviceaccount:{{ROK_CLUSTER_NAMESPACE}}:{{ROK_CLUSTER_NAME}}
    19 ManagedPolicyArns:
    20 - Ref: RokS3Policy
    21 RokS3Policy:
    22 Type: AWS::IAM::ManagedPolicy
    23 Properties:
    24 {%- if ROK_CLUSTER_NAMESPACE != "rok" or ROK_CLUSTER_NAME != "rok" %}
    25 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}-{{ROK_CLUSTER_NAMESPACE}}-{{ROK_CLUSTER_NAME}}
    26 {%- else %}
    27 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}
    28 {%- endif %}
    29 PolicyDocument:
    30 Version: '2012-10-17'
    31 Statement:
    32 - Effect: Allow
    33 Action: s3:*
    34 Resource:
    35 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*
    36 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*/*
  9. Save your state:

    root@rok-tools:~/ops/deployments# j2 deploy/env.cloudidentity.j2 \
    >   -o deploy/env.cloudidentity
    
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Create Cloud Identity on AWS"
    
  11. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    
    root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.4/cloudidentity \
    >   -m "Create Cloud Identity on AWS"
    
  12. Deploy the CloudFormation stack:

    root@rok-tools:~/ops/deployments# aws cloudformation deploy \
    >   --stack-name ${AWS_CF_S3_RESOURCES?} \
    >   --template-file rok/eks/s3-iam-resources.yaml \
    >   --capabilities CAPABILITY_NAMED_IAM
    
    Waiting for changeset to be created..
    Waiting for stack create/update to complete
    Successfully created/updated stack - rok-us-west-2-arrikto-cluster
    

Important

If you don't have permissions to create IAM resources, share the YAML manifest with your administrator and ask them to deploy the CloudFormation stack with the command above.

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,cloudidentity})
    
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_S3_BUCKET_PREFIX \
    >   AWS_S3_ROLE
    
  3. Verify that your S3 bucket prefix is not more than 52 characters long:

    root@rok-tools:~/ops/deployments# [[ ${#AWS_S3_BUCKET_PREFIX} -le 52 ]] && echo OK
    OK
    
  4. Verify that the IAM role exists:

    root@rok-tools:~/ops/deployments# aws iam get-role \
    > --role-name ${AWS_S3_ROLE?} \
    > --query Role.RoleName \
    > --output text && echo OK
    rok-us-west-2-arrikto-cluster
    OK
    
  5. Verify that the IAM role provides full access to S3 buckets under the prefix you specified:

    root@rok-tools:~/ops/deployments# aws iam simulate-principal-policy \
    > --cli-input-yaml "$(j2 rok/eks/can-i/cloudidentity.yaml.j2)" | \
    >   jq -r '.EvaluationResults[].EvalDecision' | \
    >   sort -u
    allowed
    

Summary

You have successfully created the cloud identity Rok will use to gain access to your platform's object storage service.

What's Next

The next step is to authorize Rok to access the object storage service using the cloud identity you created.