Setup IAM on AWS

Overview

At the end of this chapter you will be able to :

  • Set up an OpenID Connect Provider with AWS IAM

  • Set up a Role called ROSADemosRole which will be associated with OpenShift Service Account and provides the necessary authorizations as per ROSADemosPolicy

  • Set up a IAM Policy`ROSADemosPolicy` that allows,

    • Perform CRUD operations on DynamoDB

    • Perform CRUD operations on RDS (Postgres)

Setup

Navigate to the tutorial folder:

cd $TUTORIAL_HOME

The $TUTORIAL_HOME/setup/hack.sh will set all the aforementioned resources using Ansible, for the Ansible to set up the resources, you need to

To create the AWS resources, its required to provide AWS credentials to Ansible scripts:

cp $TUTORIAL_HOME/setup/env/passwords.example  $TUTORIAL_HOME/setup/env/passwords

Edit the $TUTORIAL_HOME/setup/env/passwords and update with your [AWS Access] and [Secret Keys].

The setup/.kube and setup/env/passwords file are excluded by Git

Setup Configurations

The parameters used for the Ansible playbook are set in $TUTORIAL_HOME/setup/env/extravars file.

Table 1. Role Variables
Variable Name Description Default value

aws_region

The default AWS region to use for creating the resources

us-west-2

oidc_bucket_name

The s3 bucket used for holding the OpenId connect provider assets

rosa-demos-oidc

rosa_demo_role_name

The AWS IAM role that will be used as part of the Demos

ROSADemosRole

rosa_demo_policy_name

The AWS IAM policy that will be used to control what the Kubernetes Service Accounts can do

ROSADemosPolicy

rollback

Clean up all the created AWS resources

False

iam

Create OpenId Connect Provider and create IAM resources

False

dynamodb

Create DynamoDB Table

False

create_aws_credentials_file

Create AWS Credential file

True

When running the setup playbook, these variables overrides the Ansible Role ROSA Demos

AWS S3 buckets expect the bucket names to be unique, its required you change the oidc_bucket_name to some value unique to you. Optionally update aws_region which is defaulted to us-west-2 to AWS region of your choice.

Edit the file $TUTORIAL_HOME/setup/env/extravars and update oidc_bucket_name and aws_region to appropriate value corresponding to your settings.

Create AWS Resources

As described earlier the following setup script will run an Ansible playbook to create AWS resources and finally it will patch OpenShift Authentication to use OIDC Provider as serviceAccountIssuer.

$TUTORIAL_HOME/setup/hack.sh

Once the setup scripts runs successfully, set following environment variables based on your setup to be used when deploying your application in upcoming chapters:

export AWS_REGION='<your aws_region value>'
export ROSA_DEMO_ROLE_ARN=$(aws iam get-role --role-name --output json ROSADemosRole | jq -r '.Role.Arn')