Create an IAM role and AWS Secret
You can configure Kubernetes pods to access AWS resources by authenticating as an AWS IAM role instead of by providing explicit AWS credentials.
To authenticate using an AWS IAM role, you must have a Kubernetes cluster deployed using EKS. |
Create AWS Secret Manager secret
This example creates an AWS Secret Manager secret to store Trident CSI credentials:
aws secretsmanager create-secret --name trident-secret --description "Trident CSI credentials" --secret-string "{"user":"vsadmin","password":"<svmpassword>"}"
Create IAM Policy
The following examples creates an IAM policy using the AWS CLI:
aws iam create-policy --policy-name AmazonFSxNCSIDriverPolicy --policy-document file://policy.json --description "This policy grants access to Trident CSI to FSxN and Secret manager"
Policy JSON file:
policy.json: { "Statement": [ { "Action": [ "fsx:DescribeFileSystems", "fsx:DescribeVolumes", "fsx:CreateVolume", "fsx:RestoreVolumeFromSnapshot", "fsx:DescribeStorageVirtualMachines", "fsx:UntagResource", "fsx:UpdateVolume", "fsx:TagResource", "fsx:DeleteVolume" ], "Effect": "Allow", "Resource": "*" }, { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": "arn:aws:secretsmanager:<aws-region>:<aws-account-id>:secret:<aws-secret-manager-name>" } ], "Version": "2012-10-17" }
Create and IAM role for the service account
The following example creates an IAM role for service account in EKS:
eksctl create iamserviceaccount --name trident-controller --namespace trident --cluster <my-cluster> --role-name <AmazonEKS_FSxN_CSI_DriverRole> --role-only --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonFSxNCSIDriverPolicy --approve