Create an IAM role and AWS Secret
Suggest changes
PDFs
You can configure Kubernetes pods to access AWS resources by authenticating as an AWS IAM role instead of by providing explicit AWS credentials.
|
To authenticate using an AWS IAM role, you must have a Kubernetes cluster deployed using EKS. |
Create AWS Secrets Manager secret
Since Trident will be issuing APIs against an FSx vserver to manage the storage for you, it will need credentials to do so. The secure way to pass those credentials is through an AWS Secrets Manager secret. Therefore, if you don’t already have one, you’ll need to create an AWS Secrets Manager secret that contains the credentials for the vsadmin account.
This example creates an AWS Secrets Manager secret to store Trident CSI credentials:
aws secretsmanager create-secret --name trident-secret --description "Trident CSI credentials"\
--secret-string "{\"username\":\"vsadmin\",\"password\":\"<svmpassword>\"}"Create IAM Policy
Trident also needs AWS permissions to run correctly. Therefore, you need to create a policy that gives Trident the permissions it needs.
The following examples creates an IAM policy using the AWS CLI:
aws iam create-policy --policy-name AmazonFSxNCSIDriverPolicy --policy-document file://policy.json
--description "This policy grants access to Trident CSI to FSxN and Secrets manager"Policy JSON example:
{
"Statement": [
{
"Action": [
"fsx:DescribeFileSystems",
"fsx:DescribeVolumes",
"fsx:CreateVolume",
"fsx:RestoreVolumeFromSnapshot",
"fsx:DescribeStorageVirtualMachines",
"fsx:UntagResource",
"fsx:UpdateVolume",
"fsx:TagResource",
"fsx:DeleteVolume"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:<aws-region>:<aws-account-id>:secret:<aws-secret-manager-name>*"
}
],
"Version": "2012-10-17"
}Create an IAM role for the service account
Once you have the policy created, use it when creating the role that will be assigned to the service account that Trident will run under:
aws iam create-role --role-name AmazonEKS_FSxN_CSI_DriverRole \ --assume-role-policy-document file://trust-relationship.json
trust-relationship.json file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account_id>:oidc-provider/<oidc_provider>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc_provider>:aud": "sts.amazonaws.com",
"<oidc_provider>:sub": "system:serviceaccount:trident:trident-controller"
}
}
}
]
}Update the following values in the trust-relationship.json file:
-
<account_id> - Your AWS account ID
-
<oidc_provider> - The OIDC of your EKS cluster. You can obtain the oidc_provider by running:
aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer"\ --output text | sed -e "s/^https:\/\///"
Attach the IAM role with the IAM policy:
Once the role has been created, attach the policy (that was created in the step above) to the role using this command:
aws iam attach-role-policy --role-name my-role --policy-arn <IAM policy ARN>Verify OICD provider is associated:
Verify that your OIDC provider is associated with your cluster. You can verify it using this command:
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4If the output is empty, use the following command to associate IAM OIDC to your cluster:
eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approveThe following example creates an IAM role for service account in EKS:
eksctl create iamserviceaccount --name trident-controller --namespace trident \
--cluster <my-cluster> --role-name AmazonEKS_FSxN_CSI_DriverRole --role-only \
--attach-policy-arn <IAM-Policy ARN> --approve