Create Cloud Identity on AWS¶
This guide will walk you through creating an IAM role for service accounts so that Rok can assume it.
Fast Forward
If you already have an IAM role for Rok, expand this box to fast-forward.
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deployments
Restore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster})
root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \ > EKS_CLUSTER
Set the name of the Rok cluster:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rok
Set the namespace in which you will deploy Rok:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rok
Set the S3 bucket prefix under which you will grant Rok full access:
root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=rok-${AWS_ACCOUNT_ID?}\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}\ > -${ROK_CLUSTER_NAME?}
root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=${AWS_S3_BUCKET_PREFIX\ > %-rok-rok}
Set the name of the IAM role which will grant full access to S3 buckets under the prefix you specified in the previous step:
root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=<ROLE>
Replace
<ROLE>with the IAM role name that Rok will assume, for example:root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=${AWS_S3_ROLE%-rok-rok}
Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.cloudidentity.j2 \ > -o deploy/env.cloudidentity
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Create Cloud Identity"
Proceed to the Verify section.
See also
- IAM Role for Service Account on Official Amazon Docs.
Choose one of the following options to create the cloud identity for Rok:
- Option 1: Create Cloud Identity Automatically (preferred).
- Option 2: Create Cloud Identity Manually.
Air Gapped
Follow Option 2 and proceed with the manual installation.
Overview
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKS cluster.
- Permissions to create IAM resources.
Option 1: Create Cloud Identity Automatically (preferred)¶
Create a cloud identity for Rok by following the on-screen instructions on the
rok-deploy user interface.
If rok-deploy is not already running, start it with:
root@rok-tools:~# rok-deploy --run-from cloudidentity
Proceed to the Summary section.
Option 2: Create Cloud Identity Manually¶
If you want to create a cloud identity for Rok manually, follow the instructions below.
Procedure¶
Follow these steps to grant a Rok cluster full access to S3 buckets with a specific prefix, i.e., related to an existing EKS cluster.
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deployments
Restore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster,\ > eks-identity})
root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \ > EKS_CLUSTER EKS_CLUSTER_OIDC
Set the name of the Rok cluster:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rok
Set the namespace in which you will deploy Rok:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rok
Set the S3 bucket prefix under which you will grant Rok full access:
root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=rok-${AWS_ACCOUNT_ID?}\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}\ > -${ROK_CLUSTER_NAME?}
root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=${AWS_S3_BUCKET_PREFIX\ > %-rok-rok}
Set the name of the IAM role which will grant full access to S3 buckets under the prefix you specified in the previous step:
root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=${AWS_S3_ROLE%-rok-rok}
Set the name of the CloudFormation stack you will deploy:
root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=rok\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}
root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=${AWS_CF_S3_RESOURCES\ > %-rok-rok}
Generate the AWS CloudFormation stack:
root@rok-tools:~/ops/deployments# j2 rok/eks/s3-iam-resources.yaml.j2 \ > -o rok/eks/s3-iam-resources.yaml
Alternatively, download the
s3-iam-resourcesCloudFormation template provided below and use it locally.s3-iam-resources.yaml.j2
1 Metadata: 2 Rok::StackName: {{AWS_CF_S3_RESOURCES}} 3 4-33 4 Resources: 5 RokS3Role: 6 Type: AWS::IAM::Role 7 Properties: 8 RoleName: {{AWS_S3_ROLE}} 9 AssumeRolePolicyDocument: 10 Version: '2012-10-17' 11 Statement: 12 - Effect: Allow 13 Action: sts:AssumeRoleWithWebIdentity 14 Principal: 15 Federated: arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/{{EKS_CLUSTER_OIDC}} 16 Condition: 17 StringEquals: 18 {{EKS_CLUSTER_OIDC}}:sub: system:serviceaccount:{{ROK_CLUSTER_NAMESPACE}}:{{ROK_CLUSTER_NAME}} 19 ManagedPolicyArns: 20 - Ref: RokS3Policy 21 RokS3Policy: 22 Type: AWS::IAM::ManagedPolicy 23 Properties: 24 {%- if ROK_CLUSTER_NAMESPACE != "rok" or ROK_CLUSTER_NAME != "rok" %} 25 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}-{{ROK_CLUSTER_NAMESPACE}}-{{ROK_CLUSTER_NAME}} 26 {%- else %} 27 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}} 28 {%- endif %} 29 PolicyDocument: 30 Version: '2012-10-17' 31 Statement: 32 - Effect: Allow 33 Action: s3:* 34 Resource: 35 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-* 36 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*/* Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.cloudidentity.j2 \ > -o deploy/env.cloudidentity
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Create Cloud Identity on AWS"
Mark your progress:
root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.4/cloudidentity \ > -m "Create Cloud Identity on AWS"
Deploy the CloudFormation stack:
root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_CF_S3_RESOURCES?} \ > --template-file rok/eks/s3-iam-resources.yaml \ > --capabilities CAPABILITY_NAMED_IAM Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - rok-us-west-2-arrikto-cluster
Important
If you don't have permissions to create IAM resources, share the YAML manifest with your administrator and ask them to deploy the CloudFormation stack with the command above.
Verify¶
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deployments
Restore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,cloudidentity})
root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_S3_BUCKET_PREFIX \ > AWS_S3_ROLE
Verify that your S3 bucket prefix is not more than 52 characters long:
root@rok-tools:~/ops/deployments# [[ ${#AWS_S3_BUCKET_PREFIX} -le 52 ]] \ > && echo OK || echo FAIL OK
Verify that the IAM role exists:
root@rok-tools:~/ops/deployments# aws iam get-role \ > --role-name ${AWS_S3_ROLE?} \ > --query Role.RoleName \ > --output text && echo OK rok-us-west-2-arrikto-cluster OK
Verify that the IAM role provides full access to S3 buckets under the prefix you specified:
root@rok-tools:~/ops/deployments# aws iam simulate-principal-policy \ > --cli-input-yaml "$(j2 rok/eks/can-i/cloudidentity.yaml.j2)" | \ > jq -r '.EvaluationResults[].EvalDecision' | \ > sort -u allowed
Summary¶
You have successfully created the cloud identity Rok will use to gain access to your platform's object storage service.
What's Next¶
The next step is to authorize Rok to access the object storage service using the cloud identity you created.