Configure AWS access for the discovery job using service account (AWS EKS)

This method outlines how to configure AWS access for discovery jobs using a service account, specifically within AWS EKS (Elastic Kubernetes Service). It involves setting up a dedicated service account in Kubernetes that is linked to an IAM role, providing the necessary permissions for discovery tasks within the AWS environment. This setup ensures secure and efficient access management, tailored for discovery operations in Kubernetes-managed AWS services.

Step 1: Create IAM Role for C8 and DJM Service Accounts

Step 1.1: Create IAM Policy

Replace the placeholders with your specific values:

placeholders description:

NameDescription

$AWS_EKS_CLUSTER_NAME

The name of the AWS EKS cluster to which we will deploy the application

$AWS_EKS_CLUSTER_REGION

The AWS Region of the AWS EKS cluster to which we will deploy the application

$APP_NAMESPACE

The Kubernetes namespace of the AWS EKS cluster to which we will deploy the application

account_id=$(aws sts get-caller-identity --query "Account" --output text)
oidc_provider=$(aws eks describe-cluster --name $AWS_EKS_CLUSTER_NAME --region $AWS_EKS_CLUSTER_REGION --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
namespace=$APP_NAMESPACE
service_account_c8_app=c8-backend
service_account_c8_djw=c8-djw

Step 1.2: Create Trust Relationship for IAM Role

Create a trust relationship for the IAM role:

# Generate a JSON file for the trust relationship
cat >trust-relationship-sa.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${account_id}:oidc-provider/${oidc_provider}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${oidc_provider}:aud": "sts.amazonaws.com",
          "${oidc_provider}:sub": [
            "system:serviceaccount:${namespace}:${service_account_c8_app}",
            "system:serviceaccount:${namespace}:${service_account_c8_djw}"
          ]
        }
      }
    }
  ]
}
EOF

Step 1.3: Create IAM Role

# Create an IAM role with a defined trust relationship and description
aws iam create-role --role-name sh-c8-service-account --assume-role-policy-document file://trust-relationship-sa.json --description "The role for the Configure8 pods service account"

Step 2: Create IAM Role to Assume by C8 and DJM Service Accounts

Step 2.1: Download IAM Policy

Download the IAM policy that grants read permissions to all AWS resources:

curl -o sh-c8-discovery-policy.json https://configure8-resources.s3.us-east-2.amazonaws.com/iam/sh-c8-discovery-policy.json

Step 2.2: Create IAM Policy

Create the IAM policy:

aws iam create-policy --policy-name sh-c8-discovery-policy --policy-document file://sh-c8-discovery-policy.json

Step 2.3: Create IAM Role

Create an IAM role that can be assumed by the C8 and DJM service accounts:

# Generate a JSON file for the trust relationship
cat >trust-relationship.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account_id}:role/sh-c8-service-account"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF

Create an IAM role with a defined trust relationship and description

aws iam create-role --role-name sh-c8-discovery --assume-role-policy-document file://trust-relationship.json --description "sh-c8-discovery"

Attach the sh-c8-discovery-policy policy to the sh-c8-discovery role

aws iam attach-role-policy --role-name sh-c8-discovery --policy-arn=arn:aws:iam::$account_id:policy/sh-c8-discovery-policy

Annotate the Kubernetes Service Accounts

Annotate the Kubernetes Service Account, which can be achieved by adding an annotation to the c8-backend and c8-djw service account during the Helm installation command(or by using the BACKEND_SA_ANNOTATION and DJW_SA_ANNOTATION variable with the installation helper script).

kubectl -n c8 annotate serviceaccount c8-backend eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/sh-c8-service-account
kubectl -n c8 annotate serviceaccount c8-djw eks.amazonaws.com/role-arn=arn:aws:iam::${account_id}:role/sh-c8-service-account

Note If you want to discover more AWS accounts, please repeat the 2nd step for each account.

PreviousSelf-Hosting configure8NextConfigure AWS access using IAM role for EC2

Last updated

Copyright © 2023 configure8, Inc. All rights reserved.