Create Cloud Identity on AWS

This guide will walk you through creating an IAM role for service accounts so that Rok can assume it.

See also

Choose one of the following options to create the cloud identity for Rok:

What You’ll Need

Option 1: Create Cloud Identity Automatically (preferred)

Create a cloud identity for Rok by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from cloudidentity
../../../_images/cloudidentity.png

Proceed to the Summary section.

Option 2: Create Cloud Identity Manually

If you want to create a cloud identity for Rok manually, follow the instructions below.

Procedure

Follow these steps to grant a Rok cluster full access to S3 buckets with a specific prefix, i.e., related to an existing EKS cluster.

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster,\ > eks-identity})
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \ > EKS_CLUSTER EKS_CLUSTER_OIDC
  3. Set the name of the Rok cluster:

    root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rok
  4. Set the namespace in which you will deploy Rok:

    root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rok
  5. Set the S3 bucket prefix under which you will grant Rok full access:

    root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=rok-${AWS_ACCOUNT_ID?}\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}\ > -${ROK_CLUSTER_NAME?}
    root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=${AWS_S3_BUCKET_PREFIX\ > %-rok-rok}
  6. Verify that the S3 bucket prefix you specified is not more than 52 characters long:

    root@rok-tools:~/ops/deployments# [[ ${#AWS_S3_BUCKET_PREFIX} -le 52 ]] \ > && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    Go back to step 5 and specify a shorter bucket prefix.

  7. Set the name of the IAM role which will grant full access to S3 buckets under the prefix you specified in the previous step:

    root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
    root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=${AWS_S3_ROLE%-rok-rok}
  8. Set the name of the CloudFormation stack you will deploy:

    root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=rok\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
    root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=${AWS_CF_S3_RESOURCES\ > %-rok-rok}
  9. Generate the AWS CloudFormation stack:

    root@rok-tools:~/ops/deployments# j2 rok/eks/s3-iam-resources.yaml.j2 \ > -o rok/eks/s3-iam-resources.yaml

    Alternatively, download the s3-iam-resources CloudFormation template provided below and use it locally.

    s3-iam-resources.yaml.j2
    1Metadata:
    2 Rok::StackName: {{AWS_CF_S3_RESOURCES}}
    3
    4-33
    4Resources:
    5 RokS3Role:
    6 Type: AWS::IAM::Role
    7 Properties:
    8 RoleName: {{AWS_S3_ROLE}}
    9 AssumeRolePolicyDocument:
    10 Version: '2012-10-17'
    11 Statement:
    12 - Effect: Allow
    13 Action: sts:AssumeRoleWithWebIdentity
    14 Principal:
    15 Federated: arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/{{EKS_CLUSTER_OIDC}}
    16 Condition:
    17 StringEquals:
    18 {{EKS_CLUSTER_OIDC}}:sub: system:serviceaccount:{{ROK_CLUSTER_NAMESPACE}}:{{ROK_CLUSTER_NAME}}
    19 ManagedPolicyArns:
    20 - Ref: RokS3Policy
    21 RokS3Policy:
    22 Type: AWS::IAM::ManagedPolicy
    23 Properties:
    24 {%- if ROK_CLUSTER_NAMESPACE != "rok" or ROK_CLUSTER_NAME != "rok" %}
    25 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}-{{ROK_CLUSTER_NAMESPACE}}-{{ROK_CLUSTER_NAME}}
    26 {%- else %}
    27 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}
    28 {%- endif %}
    29 PolicyDocument:
    30 Version: '2012-10-17'
    31 Statement:
    32 - Effect: Allow
    33 Action: s3:*
    34 Resource:
    35 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*
    36 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*/*
  10. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.cloudidentity.j2 \ > -o deploy/env.cloudidentity
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Create Cloud Identity on AWS"
  12. Deploy the CloudFormation stack:

    root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_CF_S3_RESOURCES?} \ > --template-file rok/eks/s3-iam-resources.yaml \ > --capabilities CAPABILITY_NAMED_IAM Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - rok-us-west-2-arrikto-cluster

    Important

    If you don’t have permissions to create IAM resources, share the YAML manifest with your administrator and ask them to deploy the CloudFormation stack with the command above.

  13. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/release-2.0/cloudidentity \ > -m "Create Cloud Identity on AWS"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,cloudidentity})
    root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_S3_BUCKET_PREFIX \ > AWS_S3_ROLE
  3. Verify that your S3 bucket prefix is not more than 52 characters long:

    root@rok-tools:~/ops/deployments# [[ ${#AWS_S3_BUCKET_PREFIX} -le 52 ]] \ > && echo OK || echo FAIL OK

    Troubleshooting

    The output of the command is FAIL

    If the output of the above command is FAIL, it means that the S3 bucket prefix you specified is not short enough for the S3 buckets that Rok will create.

    To proceed, run the following steps:

    1. Delete the IAM role you created for Rok. If you created the IAM role by following the Procedure, delete the CloudFormation stack instead, as follows:

      1. Restore the name of the CloudFormation stack:

        root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=$(\ > CF=$(cat rok/eks/s3-iam-resources.yaml \ > | grep StackName) \ > && echo ${CF##* })
      2. Delete the CloudFormation stack:

        root@rok-tools:~/ops/deployments# aws cloudformation \ > delete-stack \ > --stack-name ${AWS_CF_S3_RESOURCES?}
      3. Wait until the CloudFormation stack is deleted:

        root@rok-tools:~/ops/deployments# aws cloudformation \ > wait stack-delete-complete \ > --stack-name ${AWS_CF_S3_RESOURCES?}
    2. Run the Procedure and select a shorter S3 bucket prefix.

  4. Verify that the IAM role exists:

    root@rok-tools:~/ops/deployments# aws iam get-role \ > --role-name ${AWS_S3_ROLE?} \ > --query Role.RoleName \ > --output text && echo OK rok-us-west-2-arrikto-cluster OK
  5. Verify that the IAM role provides full access to S3 buckets under the prefix you specified, that is, the output of the following command is allowed:

    root@rok-tools:~/ops/deployments# aws iam simulate-principal-policy \ > --cli-input-yaml "$(j2 rok/eks/can-i/cloudidentity.yaml.j2)" \ > | jq -r '.EvaluationResults[].EvalDecision' \ > | sort -u allowed

    Troubleshooting

    Output contains ‘implicitDeny’ or ‘explicitDeny’

    If the output of simulate-principal-policy contains implicitDeny or explicitDeny, this means that the IAM role does not have sufficient permissions to provide full access to S3 buckets under the prefix you specified. To proceed, create an IAM role following the Procedure.

Summary

You have successfully created the cloud identity Rok will use to gain access to your platform’s object storage service.

What’s Next

The next step is to authorize Rok to access the object storage service using the cloud identity you created.