Configure AWS access for the discovery job using service account (AWS EKS)
This method outlines how to configure AWS access for discovery jobs using a service account, specifically within AWS EKS (Elastic Kubernetes Service). It involves setting up a dedicated service account in Kubernetes that is linked to an IAM role, providing the necessary permissions for discovery tasks within the AWS environment. This setup ensures secure and efficient access management, tailored for discovery operations in Kubernetes-managed AWS services.
Step 1: Create IAM Role for C8 and DJM Service Accounts
Step 1.1: Create IAM Policy
Replace the placeholders with your specific values:
placeholders description:
Step 1.2: Create Trust Relationship for IAM Role
Create a trust relationship for the IAM role:
Step 1.3: Create IAM Role
Step 2: Create IAM Role to Assume by C8 and DJM Service Accounts
Step 2.1: Download IAM Policy
Download the IAM policy that grants read permissions to all AWS resources:
Step 2.2: Create IAM Policy
Create the IAM policy:
Step 2.3: Create IAM Role
Create an IAM role that can be assumed by the C8 and DJM service accounts:
Create an IAM role with a defined trust relationship and description
Attach the sh-c8-discovery-policy policy to the sh-c8-discovery role
Annotate the Kubernetes Service Accounts
Annotate the Kubernetes Service Account, which can be achieved by adding an annotation to the c8-backend and c8-djw service account during the Helm installation command(or by using the BACKEND_SA_ANNOTATION and DJW_SA_ANNOTATION variable with the installation helper script).
Note If you want to discover more AWS accounts, please repeat the 2nd step for each account.
Last updated