Search
K

Configure AWS access using GCP ServiceAccount (GKE)

Step 1: Enable Workload Identity (skip if already enabled)

You can enable Workload Identity on an existing Standard cluster by using the gcloud CLI or the Google Cloud console. Existing node pools are unaffected, but any new node pools in the cluster use Workload Identity.
gcloud container clusters update CLUSTER_NAME \
--region=COMPUTE_REGION \
--workload-pool=PROJECT_ID.svc.id.goog
Note You can check the current status by running the command gcloud container clusters describe CLUSTER_NAME --region=COMPUTE_REGION --format="value(workloadIdentityConfig)
Replace the following:
  • CLUSTER_NAME: the name of your existing GKE cluster.
  • COMPUTE_REGION: the Compute Engine region of your cluster. For zonal clusters, use --zone=COMPUTE_ZONE.
  • PROJECT_ID: your Google Cloud project ID.

Step 2: Create a service account and bind it with a k8s service account

Step 2.1: Create the c8-backend service account and bind it with the k8s service account
Important Replace the PROJECT_ID with the project ID of the Google Cloud project of your IAM service account.
Create GCP SA which will be bound to K8s SA
gcloud iam service-accounts create c8-backend \
--project=PROJECT_ID
Bind necessary IAM roles to the GCP SA
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:c8-backend@PROJECT_ID.iam.gserviceaccount.com" \
--role "roles/viewer"
Create K8s SA for workload identity in the c8 namespace
kubectl -n c8 create sa c8-backend
Bind K8s SA with GCP SA
gcloud iam service-accounts add-iam-policy-binding c8-backend@PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[c8/c8-backend]"
Annotate K8s SA
kubectl -n c8 annotate serviceaccount c8-backend iam.gke.io/gcp-service-account=c8-backend@PROJECT_ID.iam.gserviceaccount.com
Get the service account unique client ID (will be used in the step below to create an AWS IAM role).
gcloud iam service-accounts describe --format json c8-backend@PROJECT_ID.iam.gserviceaccount.com | jq -r '.uniqueId'
Step 2.2: Create the c8-djw service account and bind it with the k8s service account
Important Replace the PROJECT_ID with the project ID of the Google Cloud project of your IAM service account.
Create GCP SA which will be bound to K8s SA
gcloud iam service-accounts create c8-djw \
--project=PROJECT_ID
Bind necessary IAM roles to the GCP SA
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:c8-djw@PROJECT_ID.iam.gserviceaccount.com" \
--role "roles/viewer"
Create K8s SA for workload identity in the c8 namespace
kubectl -n sh create sa c8-djw
Bind K8s SA with GCP SA
gcloud iam service-accounts add-iam-policy-binding c8-djw@PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[c8/c8-djw]"
Annotate K8s SA
kubectl -n c8 annotate serviceaccount c8-djw iam.gke.io/gcp-service-account=c8-djw@PROJECT_ID.iam.gserviceaccount.com
Get the service account unique client ID (will be used in the step below to create an AWS IAM role).
gcloud iam service-accounts describe --format json c8-djw@PROJECT_ID.iam.gserviceaccount.com | jq -r '.uniqueId'

Step 3: Create AWS IAM Role (will be assumed by C8 backend and djm service accounts to discover resources)

Step 3.1: Download IAM Policy

Download the IAM policy that grants read permissions to all AWS resources:
curl -o sh-c8-discovery-policy.json https://configure8-resources.s3.us-east-2.amazonaws.com/iam/sh-c8-discovery-policy.json

Step 3.2: Create IAM Policy

Create the IAM policy:
aws iam create-policy --policy-name sh-c8-discovery-policy --policy-document file://sh-c8-discovery-policy.json

Step 3.3: Create IAM Role

Create an IAM role that can be assumed by the C8 and DJM service accounts:
Important To get gcp_sa_backend_client_id and gcp_sa_djw_client_id values please check the 2.1 step.
Name
Description
$account_id
The AWS account id from which you want to allow run discovery
$gcp_sa_backend_client_id
The GCP IAM service account unique client ID (c8-backend)
$gcp_sa_djw_client_id
The GCP IAM service account unique client ID (c8-djw)
# Generate a JSON file for the trust relationship
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RoleForGoogleBackend",
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "${gcp_sa_backend_client_id}"
}
}
},
{
"Sid": "RoleForGoogleDjw",
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "${gcp_sa_djw_client_id}"
}
}
}
]
}
EOF

Create an IAM role with a defined trust relationship and description

aws iam create-role --role-name sh-c8-discovery --assume-role-policy-document file://trust-relationship.json --description "sh-c8-discovery"

Attach the sh-c8-discovery to the policy

aws iam attach-role-policy --role-name sh-c8-discovery --policy-arn=arn:aws:iam::$account_id:policy/sh-c8-discovery-policy
Note If you want to discover more AWS accounts, please repeat the 3rd step for each account.
Copyright © 2023 configure8, Inc. All rights reserved.