Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit6aa6010

Browse files
Injecting AWS roles to the cluster
1 parentf9a8a1e commit6aa6010

File tree

1 file changed

+57
-0
lines changed

1 file changed

+57
-0
lines changed

‎_docs/enterprise/codefresh-runner.md‎

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -312,7 +312,64 @@ Update your runtime environment with the [patch command](https://codefresh-io.gi
312312
codefresh patch runtime-environment ivan@wawa-ebs.us-west-2.eksctl.io/codefresh-runtime -f codefresh-runner.yaml
313313
```
314314

315+
###Injecting AWS arn roles into the cluster
315316

317+
Step 1 - Make sure the OIDC provider is connected to the cluster
318+
319+
See:
320+
321+
*[https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)
322+
*[https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)
323+
324+
Step 2 - Create IAM role and policy as explained in[https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html)
325+
326+
Here, in addition to the policy explained, you need a Trust Relationship established between this role and the OIDC entity.
327+
328+
{% include image.html
329+
lightbox="true"
330+
file="/images/enterprise/runner/edit-trust-relationship.png"
331+
url="/images/enterprise/runner/edit-trust-relationship.png"
332+
alt="IAM Role trust establishment with OIDC provider"
333+
caption="IAM Role trust establishment with OIDC provider"
334+
max-width="90%"
335+
%}
336+
337+
Step 3 - Create a new namespace where the runner will be instlled (e.g.`codefresh-runtime`) and annotate the default Kubernetes Service Account on the newly created namespace with the proper IAM role
338+
339+
{% include image.html
340+
lightbox="true"
341+
file="/images/enterprise/runner/sa-annotation.png"
342+
url="/images/enterprise/runner/sa-annotation.png"
343+
alt="Service Account annotation"
344+
caption="Service Account annotation"
345+
max-width="90%"
346+
%}
347+
348+
Step 4 - Install the Codefresh runner using the instructions of the previous section
349+
350+
Step 5 - Using the AWS assumed role identity
351+
352+
After the Codefresh runner is installed run a pipeline to test the AWS resource access:
353+
354+
{% highlight yaml %}
355+
{% raw %}
356+
RunAwsCli:
357+
title : Communication with AWS
358+
image : mesosphere/aws-cli
359+
stage: "build"
360+
commands :
361+
- apk update
362+
- apk add jq
363+
- env
364+
- cat /codefresh/volume/sensitive/.kube/web_id_token
365+
- aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name mh9test --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE --duration-seconds 1000 > /tmp/irp-cred.txt
366+
- export AWS_ACCESS_KEY_ID="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.AccessKeyId")"
367+
- export AWS_SECRET_ACCESS_KEY="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SecretAccessKey")"
368+
- export AWS_SESSION_TOKEN="$(cat /tmp/irp-cred.txt | jq -r ".Credentials.SessionToken")"
369+
- rm /tmp/irp-cred.txt
370+
- aws s3api get-object --bucket jags-cf-eks-pod-secrets-bucket --key eks-pod2019-12-10-21-18-32-560931EEF8561BC4 getObjectNotWorks.txt
371+
{% endraw %}
372+
{% endhighlight %}
316373

317374
###Security roles
318375

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp