04_IAM

8 min

create iam roles for s3/ses/sns (or a single admin role) ir engine interfaces with several aws services and requires credentials for these purposes you could make one admin role with full access to all aws services, but we recommend making separate, scoped roles for each individual service to create a role, do the following creating an iam role go to iam >users, and click on the add user button for user name, enter \<service> admin , e g s3 admin check the box for programmatic access, the click on the next button click on 'attach existing policies directly' in the filter policies text box, you'll want to enter the name of the service to narrow down the policy list significantly then, look for the fullaccess policy for that service and select that, and click the next button you don't need to tag it with anything, just click the next button, then the create user button the following screen should show success and have the user listed copy the 'access key id' somewhere, and also click the show toggle under 'secret access key' and copy that elsewhere as well you will put these into the helm config file later iam roles to create here are the services you want to create iam admin users for, and the associated permissions you want to grant them s3 amazons3fullaccess, cloudfrontfullaccess sns amazonsnsfullaccess you'll also need to create an iam user that github actions can use to access the cluster and push/pull docker images from ecr by convention, we call this user 'eksuser', and it needs these permissions amazoneksclusterpolicy, amazoneksworkernodepolicy, amazoneksservicepolicy, amazonelasticcontainerregistrypublicfullaccess, amazonec2containerregistryfullaccess creating new credentials for an iam user if you ever lose the secret to a user, or want to make new credentials for whatever reason, go to iam >users and click on that user click on the 'security credentials' tab, and under 'access keys' you should see a button 'create access key' and, underneath that, 0 2 existing keys with some information about them and an 'x' on the far right to delete it if there are two keys for that user, you must deactivate and delete one of them before making a new one click the create button, then make sure to save the public and secret keys somewhere and put them into the helm config file apply aws auth with eks user arn to cluster only the iam user who created the eks cluster initially has access to the cluster, even if another user has all of the required policies/permissions, up to and including the admin policy in order for other users to have access to the cluster, the aws auth configmap in the cluster needs to be modified to explicitly grant them permission to access the cluster there is an aws auth yaml https //github com/ir engine/ir engine ops/blob/master/configs/aws auth template yml file template in the configs folder of the https //github com/ir engine/ir engine ops/ repository make a copy of this template, shorten its name to aws auth yml , and run this command to get the current copy of the aws auth configmap kubectl describe configmap aws auth n kube system it should look something like this data \==== maproles \ \ groups \ system\ bootstrappers \ system\ nodes rolearn arn\ aws\ iam \<accountid>\ role/eksctl ir engine test nodegro nodeinstancerole dxwopisgtd1e username system\ node {{ec2privatednsname}} mapusers \ \ groups \ system\ masters userarn arn\ aws\ iam \<accountid>\ user/ir engine eks username ir engine eks copy the value of rolearn in the entry for maproles and paste that in the template copy to replace \<rolearn> in the mapusers section, you'll need to make as many copies of the following as you want users to have access to the cluster \ groups \ system\ masters userarn arn\ aws\ iam \<account id>\ user/ir engine eks username ir engine eks make sure to have an entry for the user who made the cluster in the example above, that's ir engine eks replace \<account id> with the aws account id, and both instances of \<iam username> with the username you want to grant access you should not add any value for {{ec2privatednsname}} it will be evaluated by aws in real time after the configmap is ready, run this command to update the configmap with the contents of aws auth yml kubectl apply f \<path/to/aws auth yml> if you want to add a new user to the cluster, you will need to make another entry in the mapusers section with their username and run kubectl apply f \<path/to/aws auth yml> you have to keep all of the other user entries, as the contents of the configmap get replaced wholesale with whatever is in aws auth yml to remove a user's access from the cluster, remove their entry from mapusers and run the above command to reapply the file