-
Notifications
You must be signed in to change notification settings - Fork 35
AWS Target IAM Role Requirements & Granular Pod Level Access
In this section we will describe how to configure Turbonomic’s AWS mediation pods to leverage IAM Roles. We will leverage the ability to provide fine grained IAM Role support through a Service Account, and k8s cluster configurations that support an OIDC provider and web hook method. At the time of this document version, the following k8s clusters and versions support this configuration, and have been tested by Turbonomic:
- Amazon EKS running k8s 1.16+
- OpenShift 4.3+ / ROSA on AWS
- Turbo SaaS offering
- Follow the instructions provided by EKS, or OpenShift / ROSA on AWS, to make sure you have the required configurations to support the Web Identity provider method, leveraging the AWS Admission Webhook and an OIDC provider.
- See IAM Roles – Additional Resources below for your platform provider’s link.
- Follow instructions from AWS in the links below to set up your cluster's OIDC provider as an IAM Identity Provider (Web Identity Provider - OIDC URL) in the AWS Account that you will be targeting.
- Configure a kubernetes service account in the Turbonomic namespace that will be able to assume an IAM Role.
- Note that unless specified in the Turbonomic CR, the service account that the AWS Mediation Pod will run with is "default".
- Best practice is to set up a separate SA for the AWS Mediation Pods to use. See Turbonomic Deployment Configuration for an example of specifying a specific service account.
- Configure the IAM Role in AWS
- Turbonomic AWS IAM Role requirements, including cross account access if required, are described here. IAM policy definition must use sts:AssumeRoleWithWebIdentity role.
- Using the Web identity provider set up, and the service account you will use, update the Trust Relationships in the IAM Role. Additional instructions here.
- IAM Role for Turbonomic to target your AWS Account requires the following policies:
AmazonRDSReadOnlyAccess
AmazonEC2ReadOnlyAccess
AmazonS3ReadOnlyAccess
AWSOrganizationsReadOnlyAccess
- Annotate the Service Account you will use with the IAM Role. See this article for an example
apiVersion: v1
kind: ServiceAccount
#use the name of the SA that will contain the annotation
name: default
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>For the Kubernetes Service Account that will have the ability to assume a role, you have the option to use:
- Use the Turbonomic default service account that the AWS Mediation pods are running with.
- NOTE: the AWS Mediation pods will run with the default service account called "default" in the namespace. If you modify the default "default" account, there is nothing more to do except restart the AWS mediation pods.
- AWS Best Practice is to manually create a separate service account that will be used only by the AWS Mediation Pods
- You will need to supply this SA to the Turbonomic deployment via the CR
If you created a second service account, modify the custom resource yaml to specify this SA to the AWS mediation components. See example below:
spec:
mediation-aws:
env:
- name: AWS_REGION
value: US_EAST_1
serviceAccountName: t8c-iam-role
mediation-awsbilling:
env:
- name: AWS_REGION
value: US_EAST_1
serviceAccountName: t8c-iam-role
mediation-awscloudbilling:
env:
- name: AWS_REGION
value: US_EAST_1
serviceAccountName: t8c-iam-role
mediation-awscost:
env:
- name: AWS_REGION
value: US_EAST_1
serviceAccountName: t8c-iam-roleApply the updated custom resource and ensure the 4 mediation pods restarted.
To complete the Turbonomic AWS Account Target setup, go to the Turbonomic UI to configure the AWS Account Targets using an IAM Role. For more information refer to online documentation here.