Setup IAM on AWS
Overview
At the end of this chapter you will be able to :
-
Set up an OpenID Connect Provider with AWS IAM
-
Set up a Role called
ROSADemosRole
which will be associated with OpenShift Service Account and provides the necessary authorizations as perROSADemosPolicy
-
Set up a IAM Policy`ROSADemosPolicy` that allows,
-
Perform CRUD operations on DynamoDB
-
Perform CRUD operations on RDS (Postgres)
-
Setup
Navigate to the tutorial folder:
The $TUTORIAL_HOME/setup/hack.sh
will set all the aforementioned resources using Ansible, for the Ansible to set up the resources, you need to
To create the AWS resources, its required to provide AWS credentials to Ansible scripts:
cp $TUTORIAL_HOME/setup/env/passwords.example $TUTORIAL_HOME/setup/env/passwords
Edit the $TUTORIAL_HOME/setup/env/passwords
and update with your [AWS Access] and [Secret Keys].
The |
Setup Configurations
The parameters used for the Ansible playbook are set in $TUTORIAL_HOME/setup/env/extravars file.
Variable Name | Description | Default value |
---|---|---|
aws_region |
The default AWS region to use for creating the resources |
us-west-2 |
oidc_bucket_name |
The s3 bucket used for holding the OpenId connect provider assets |
rosa-demos-oidc |
rosa_demo_role_name |
The AWS IAM role that will be used as part of the Demos |
ROSADemosRole |
rosa_demo_policy_name |
The AWS IAM policy that will be used to control what the Kubernetes Service Accounts can do |
ROSADemosPolicy |
rollback |
Clean up all the created AWS resources |
False |
iam |
Create OpenId Connect Provider and create IAM resources |
False |
dynamodb |
Create DynamoDB Table |
False |
create_aws_credentials_file |
Create AWS Credential file |
True |
When running the setup playbook, these variables overrides the Ansible Role ROSA Demos |
AWS S3 buckets expect the bucket names to be unique, its required you change the oidc_bucket_name
to some value unique to you. Optionally update aws_region
which is defaulted to us-west-2
to AWS region of your choice.
Edit the file $TUTORIAL_HOME/setup/env/extravars and update oidc_bucket_name and aws_region to appropriate value corresponding to your settings.
Create AWS Resources
As described earlier the following setup script will run an Ansible playbook to create AWS resources and finally it will patch OpenShift Authentication to use OIDC Provider as serviceAccountIssuer
.
$TUTORIAL_HOME/setup/hack.sh
Once the setup scripts runs successfully, set following environment variables based on your setup to be used when deploying your application in upcoming chapters:
export AWS_REGION='<your aws_region value>'
export ROSA_DEMO_ROLE_ARN=$(aws iam get-role --role-name --output json ROSADemosRole | jq -r '.Role.Arn')