This method outlines how to configure AWS access for discovery jobs using a service account, specifically within AWS EKS (Elastic Kubernetes Service). It involves setting up a dedicated service account in Kubernetes that is linked to an IAM role, providing the necessary permissions for discovery tasks within the AWS environment. This setup ensures secure and efficient access management, tailored for discovery operations in Kubernetes-managed AWS services.
Replace the placeholders with your specific values:
placeholders description:
| Name | Description |
|---|---|
| $AWS_EKS_CLUSTER_NAME | The name of the AWS EKS cluster to which we will deploy the application |
| $AWS_EKS_CLUSTER_REGION | The AWS Region of the AWS EKS cluster to which we will deploy the application |
| $APP_NAMESPACE | The Kubernetes namespace of the AWS EKS cluster to which we will deploy the application |
account_id=$(aws sts get-caller-identity --query "Account" --output text)
oidc_provider=$(aws eks describe-cluster --name $AWS_EKS_CLUSTER_NAME --region $AWS_EKS_CLUSTER_REGION --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
namespace=$APP_NAMESPACE
service_account_c8_app=c8-backend
service_account_c8_djw=c8-djw
Create a trust relationship for the IAM role:
# Generate a JSON file for the trust relationship
cat >trust-relationship-sa.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${oidc_provider}:aud": "sts.amazonaws.com",
"${oidc_provider}:sub": [
"system:serviceaccount:${namespace}:${service_account_c8_app}",
"system:serviceaccount:${namespace}:${service_account_c8_djw}"
]
}
}
}
]
}
EOF
# Create an IAM role with a defined trust relationship and description
aws iam create-role --role-name sh-c8-service-account --assume-role-policy-document file://trust-relationship-sa.json --description "The role for the Configure8 pods service account"
Download the IAM policy that grants read permissions to all AWS resources:
curl -o sh-c8-discovery-policy.json https://configure8-resources.s3.us-east-2.amazonaws.com/iam/sh-c8-discovery-policy.json
Create the IAM policy:
aws iam create-policy --policy-name sh-c8-discovery-policy --policy-document file://sh-c8-discovery-policy.json
Create an IAM role that can be assumed by the C8 and DJM service accounts:
# Generate a JSON file for the trust relationship
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:role/sh-c8-service-account"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name sh-c8-discovery --assume-role-policy-document file://trust-relationship.json --description "sh-c8-discovery"
aws iam attach-role-policy --role-name sh-c8-discovery --policy-arn=arn:aws:iam::$account_id:policy/sh-c8-discovery-policy
Annotate the Kubernetes Service Account, which can be achieved by adding an annotation to the c8-backend and c8-djw service account during the Helm installation command(or by using the BACKEND_SA_ANNOTATION and DJW_SA_ANNOTATION variable with the installation helper script).
kubectl -n c8 annotate serviceaccount c8-backend eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/sh-c8-service-account
kubectl -n c8 annotate serviceaccount c8-djw eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/sh-c8-service-account
Note If you want to discover more AWS accounts, please repeat the 2nd step for each account.