Setup IAM on AWS

Overview

At the end of this chapter you will be able to :

Set up an OpenID Connect Provider with AWS IAM
Set up a Role called ROSADemosRole which will be associated with OpenShift Service Account and provides the necessary authorizations as per ROSADemosPolicy
Set up a IAM Policy`ROSADemosPolicy` that allows,
- Perform CRUD operations on DynamoDB
- Perform CRUD operations on RDS (Postgres)

Setup

Navigate to the tutorial folder:

cd $TUTORIAL_HOME

The $TUTORIAL_HOME/setup/hack.sh will set all the aforementioned resources using Ansible, for the Ansible to set up the resources, you need to

To create the AWS resources, its required to provide AWS credentials to Ansible scripts:

cp $TUTORIAL_HOME/setup/env/passwords.example  $TUTORIAL_HOME/setup/env/passwords

Edit the $TUTORIAL_HOME/setup/env/passwords and update with your [AWS Access] and [Secret Keys].

The setup/.kube and setup/env/passwords file are excluded by Git

Setup Configurations

The parameters used for the Ansible playbook are set in $TUTORIAL_HOME/setup/env/extravars file.

Table 1. Role Variables
Variable Name	Description	Default value
aws_region	The default AWS region to use for creating the resources	us-west-2
oidc_bucket_name	The s3 bucket used for holding the OpenId connect provider assets	rosa-demos-oidc
rosa_demo_role_name	The AWS IAM role that will be used as part of the Demos	ROSADemosRole
rosa_demo_policy_name	The AWS IAM policy that will be used to control what the Kubernetes Service Accounts can do	ROSADemosPolicy
rollback	Clean up all the created AWS resources	False
iam	Create OpenId Connect Provider and create IAM resources	False
dynamodb	Create DynamoDB Table	False
create_aws_credentials_file	Create AWS Credential file	True

When running the setup playbook, these variables overrides the Ansible Role ROSA Demos

AWS S3 buckets expect the bucket names to be unique, its required you change the oidc_bucket_name to some value unique to you. Optionally update aws_region which is defaulted to us-west-2 to AWS region of your choice.

Edit the file $TUTORIAL_HOME/setup/env/extravars and update oidc_bucket_name and aws_region to appropriate value corresponding to your settings.

Create AWS Resources

As described earlier the following setup script will run an Ansible playbook to create AWS resources and finally it will patch OpenShift Authentication to use OIDC Provider as serviceAccountIssuer.

$TUTORIAL_HOME/setup/hack.sh

Once the setup scripts runs successfully, set following environment variables based on your setup to be used when deploying your application in upcoming chapters:

export AWS_REGION='<your aws_region value>'
export ROSA_DEMO_ROLE_ARN=$(aws iam get-role --role-name --output json ROSADemosRole | jq -r '.Role.Arn')