Create Cloud Identity on AWS¶
This guide will walk you through creating an IAM role for service accounts so that Rok can assume it.
Fast Forward
If you already have an IAM role for Rok, expand this box to fast-forward.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster})root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \ > EKS_CLUSTERSet the name of the Rok cluster:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rokSet the namespace in which you will deploy Rok:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rokSet the S3 bucket prefix under which you will grant Rok full access:
root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=rok-${AWS_ACCOUNT_ID?}\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}\ > -${ROK_CLUSTER_NAME?}root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=${AWS_S3_BUCKET_PREFIX\ > %-rok-rok}Set the name of the IAM role which will grant full access to S3 buckets under the prefix you specified in the previous step:
root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=<ROLE>Replace
<ROLE>
with the IAM role name that Rok will assume, for example:root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=${AWS_S3_ROLE%-rok-rok}Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.cloudidentity.j2 \ > -o deploy/env.cloudidentityCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Create Cloud Identity"Proceed to the Verify section.
See also
- IAM Role for Service Account on Official Amazon Docs.
Choose one of the following options to create the cloud identity for Rok:
- Option 1: Create Cloud Identity Automatically (preferred).
- Option 2: Create Cloud Identity Manually.
Air Gapped
Follow Option 2 and proceed with the manual installation.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKS cluster.
- Permissions to create IAM resources.
Option 1: Create Cloud Identity Automatically (preferred)¶
Create a cloud identity for Rok by following the on-screen instructions on the
rok-deploy
user interface.
If rok-deploy
is not already running, start it with:
Proceed to the Summary section.
Option 2: Create Cloud Identity Manually¶
If you want to create a cloud identity for Rok manually, follow the instructions below.
Procedure¶
Follow these steps to grant a Rok cluster full access to S3 buckets with a specific prefix, i.e., related to an existing EKS cluster.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,eks-cluster,\ > eks-identity})root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_DEFAULT_REGION \ > EKS_CLUSTER EKS_CLUSTER_OIDCSet the name of the Rok cluster:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rokSet the namespace in which you will deploy Rok:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rokSet the S3 bucket prefix under which you will grant Rok full access:
root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=rok-${AWS_ACCOUNT_ID?}\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}\ > -${ROK_CLUSTER_NAME?}root@rok-tools:~/ops/deployments# export AWS_S3_BUCKET_PREFIX=${AWS_S3_BUCKET_PREFIX\ > %-rok-rok}Verify that the S3 bucket prefix you specified is not more than 52 characters long:
root@rok-tools:~/ops/deployments# [[ ${#AWS_S3_BUCKET_PREFIX} -le 52 ]] \ > && echo OK || echo FAIL OKTroubleshooting
The output of the command is FAIL
Go back to step 5 and specify a shorter bucket prefix.
Set the name of the IAM role which will grant full access to S3 buckets under the prefix you specified in the previous step:
root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=rok-${AWS_DEFAULT_REGION?}\ > -${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}root@rok-tools:~/ops/deployments# export AWS_S3_ROLE=${AWS_S3_ROLE%-rok-rok}Set the name of the CloudFormation stack you will deploy:
root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=rok\ > -${AWS_DEFAULT_REGION?}-${EKS_CLUSTER?}-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=${AWS_CF_S3_RESOURCES\ > %-rok-rok}Generate the AWS CloudFormation stack:
root@rok-tools:~/ops/deployments# j2 rok/eks/s3-iam-resources.yaml.j2 \ > -o rok/eks/s3-iam-resources.yamlAlternatively, download the
s3-iam-resources
CloudFormation template provided below and use it locally.s3-iam-resources.yaml.j21 Metadata: 2 Rok::StackName: {{AWS_CF_S3_RESOURCES}} 3 4-33 4 Resources: 5 RokS3Role: 6 Type: AWS::IAM::Role 7 Properties: 8 RoleName: {{AWS_S3_ROLE}} 9 AssumeRolePolicyDocument: 10 Version: '2012-10-17' 11 Statement: 12 - Effect: Allow 13 Action: sts:AssumeRoleWithWebIdentity 14 Principal: 15 Federated: arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/{{EKS_CLUSTER_OIDC}} 16 Condition: 17 StringEquals: 18 {{EKS_CLUSTER_OIDC}}:sub: system:serviceaccount:{{ROK_CLUSTER_NAMESPACE}}:{{ROK_CLUSTER_NAME}} 19 ManagedPolicyArns: 20 - Ref: RokS3Policy 21 RokS3Policy: 22 Type: AWS::IAM::ManagedPolicy 23 Properties: 24 {%- if ROK_CLUSTER_NAMESPACE != "rok" or ROK_CLUSTER_NAME != "rok" %} 25 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}-{{ROK_CLUSTER_NAMESPACE}}-{{ROK_CLUSTER_NAME}} 26 {%- else %} 27 ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}} 28 {%- endif %} 29 PolicyDocument: 30 Version: '2012-10-17' 31 Statement: 32 - Effect: Allow 33 Action: s3:* 34 Resource: 35 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-* 36 - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*/* Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.cloudidentity.j2 \ > -o deploy/env.cloudidentityCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Create Cloud Identity on AWS"Mark your progress:
root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.5/cloudidentity \ > -m "Create Cloud Identity on AWS"Deploy the CloudFormation stack:
root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_CF_S3_RESOURCES?} \ > --template-file rok/eks/s3-iam-resources.yaml \ > --capabilities CAPABILITY_NAMED_IAM Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - rok-us-west-2-arrikto-cluster
Important
If you don’t have permissions to create IAM resources, share the YAML manifest with your administrator and ask them to deploy the CloudFormation stack with the command above.
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{envvars-aws,cloudidentity})root@rok-tools:~/ops/deployments# export AWS_ACCOUNT_ID AWS_S3_BUCKET_PREFIX \ > AWS_S3_ROLEVerify that your S3 bucket prefix is not more than 52 characters long:
root@rok-tools:~/ops/deployments# [[ ${#AWS_S3_BUCKET_PREFIX} -le 52 ]] \ > && echo OK || echo FAIL OKTroubleshooting
The output of the command is FAIL
If the output of the above command is
FAIL
, it means that the S3 bucket prefix you specified is not short enough for the S3 buckets that Rok will create.To proceed, run the following steps:
Delete the IAM role you created for Rok. If you created the IAM role by following the Procedure, delete the CloudFormation stack instead, as follows:
Restore the name of the CloudFormation stack:
root@rok-tools:~/ops/deployments# export AWS_CF_S3_RESOURCES=$(\ > CF=$(cat rok/eks/s3-iam-resources.yaml \ > | grep StackName) \ > && echo ${CF##* })Delete the CloudFormation stack:
root@rok-tools:~/ops/deployments# aws cloudformation \ > delete-stack \ > --stack-name ${AWS_CF_S3_RESOURCES?}Wait until the CloudFormation stack is deleted:
root@rok-tools:~/ops/deployments# aws cloudformation \ > wait stack-delete-complete \ > --stack-name ${AWS_CF_S3_RESOURCES?}
Run the Procedure and select a shorter S3 bucket prefix.
Verify that the IAM role exists:
root@rok-tools:~/ops/deployments# aws iam get-role \ > --role-name ${AWS_S3_ROLE?} \ > --query Role.RoleName \ > --output text && echo OK rok-us-west-2-arrikto-cluster OKVerify that the IAM role provides full access to S3 buckets under the prefix you specified, that is, the output of the following command is
allowed
:root@rok-tools:~/ops/deployments# aws iam simulate-principal-policy \ > --cli-input-yaml "$(j2 rok/eks/can-i/cloudidentity.yaml.j2)" \ > | jq -r '.EvaluationResults[].EvalDecision' \ > | sort -u allowedTroubleshooting
Output contains ‘implicitDeny’ or ‘explicitDeny’
If the output of
simulate-principal-policy
containsimplicitDeny
orexplicitDeny
, this means that the IAM role does not have sufficient permissions to provide full access to S3 buckets under the prefix you specified. To proceed, create an IAM role following the Procedure.
Summary¶
You have successfully created the cloud identity Rok will use to gain access to your platform’s object storage service.
What’s Next¶
The next step is to authorize Rok to access the object storage service using the cloud identity you created.