Release notes
Create an IAM role and AWS Secret
Suggest changes
PDFs
You can configure Kubernetes pods to access AWS resources by authenticating as an AWS IAM role instead of by providing explicit AWS credentials.
|
To authenticate using an AWS IAM role, you must have a Kubernetes cluster deployed using EKS. |
Create AWS Secret Manager secret
This example creates an AWS Secret Manager secret to store Trident CSI credentials:
aws secretsmanager create-secret --name trident-secret --description "Trident CSI credentials"\
--secret-string "{\"username\":\"vsadmin\",\"password\":\"<svmpassword>\"}"
Create IAM Policy
The following examples creates an IAM policy using the AWS CLI:
aws iam create-policy --policy-name AmazonFSxNCSIDriverPolicy --policy-document file://policy.json --description "This policy grants access to Trident CSI to FSxN and Secret manager"
Policy JSON example:
policy.json:
{
"Statement": [
{
"Action": [
"fsx:DescribeFileSystems",
"fsx:DescribeVolumes",
"fsx:CreateVolume",
"fsx:RestoreVolumeFromSnapshot",
"fsx:DescribeStorageVirtualMachines",
"fsx:UntagResource",
"fsx:UpdateVolume",
"fsx:TagResource",
"fsx:DeleteVolume"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:<aws-region>:<aws-account-id>:secret:<aws-secret-manager-name>*"
}
],
"Version": "2012-10-17"
}
To enable automatic backend configuration for Amazon FSx, add the following actions to the policy.json file while creating an IAM policy:
-
"fsx:CreateStorageVirtualMachine" -
"fsx:DescribeStorageVirtualMachines" -
"secretsmanager:CreateSecret" -
"secretsmanager:DeleteSecret" -
"secretsmanager:TagResource"
Policy JSON file example for automatic backend configuration:
policy.json:
{
"Statement": [
{
"Action": [
"fsx:CreateStorageVirtualMachine",
"fsx:DescribeFileSystems",
"fsx:DescribeStorageVirtualMachines",
"fsx:DescribeVolumes",
"fsx:CreateVolume",
"fsx:RestoreVolumeFromSnapshot",
"fsx:DescribeStorageVirtualMachines",
"fsx:UntagResource",
"fsx:UpdateVolume",
"fsx:TagResource",
"fsx:DeleteVolume"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:TagResource"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:<aws-region>:<aws-account-id>:secret:*"
}
],
"Version": "2012-10-17"
}
Create an IAM role for the service account
aws iam create-role --role-name trident-controller \ --assume-role-policy-document file://trust-relationship.json
trust-relationship.json file:
{
"Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account_id>:oidc-provider/<oidc_provider>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc_provider>:aud": "sts.amazonaws.com",
"<oidc_provider>:sub": "system:serviceaccount:trident:trident-controller"
}
}
}
]
}
Update the following values in the trust-relationship.json file:
-
<account_id> - Your AWS account ID
-
<oidc_provider> - The OIDC of your EKS cluster. You can obtain the oidc_provider by running:
aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer"\ --output text | sed -e "s/^https:\/\///"
Attach the IAM role with the IAM policy:
Once the role has been created, attach the policy (that was created in the step above) to the role using this command:
aws iam attach-role-policy --role-name my-role --policy-arn <IAM policy ARN>
Verify OICD provider is associated:
Verify that your OIDC provider is associated with your cluster. You can verify it using this command:
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4
Use the following command to associate IAM OIDC to your cluster:
eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
