Skip to content

AWS Cross Account Support for EKS LCM in Rafay

Our recent release update in July to our Preview environment adds support for a number of new features and enhancements. This blog is focused on Cross Account Role ARN Support for Amazon EKS.

In July 2023, Rafay introduced a new feature to its Kubernetes Operations Platform: Cross Account Role ARN support for Amazon Elastic Kubernetes Service (EKS). This feature is designed to cater organizations that operate multiple AWS accounts, providing a seamless and efficient way to manage EKS clusters across these accounts. In this blog post, we'll delve into the significance of this enhancement, explore its use cases, and understand how it simplifies EKS cluster management across multiple AWS accounts.

Cross Account Support

The Cross Account Role ARN support addresses these challenges by streamlining the user experience and eliminating the need for multiple cloud credentials. With this new feature, a single set of cloud credentials, configured with a master AWS account's role, can be used to manage resources across multiple accounts using the Sts:AssumeRole Configuration on AWS IAM Role.

one master cloud creds

Use Case : Master Account and Linked Accounts

Let's explore a use case to better understand the benefits of the Cross Account Role ARN support.Consider an organization having a main account called 'master' or 'management' account. This account has several other accounts linked to it, called 'linked' or 'child' accounts. The management account defines certain roles, which give the same permissions to all the member or child accounts. For example, let's say Cloud credentials added on Rafay Platform is trusted by a role at the management account level. This means Rafay platform can use that single role to do specific privileged actions across any of the member or child accounts.

With the Cross Account Role ARN support, the organization can now create a single cloud credential with a role-based access to the master or management AWS account. This role in the management account can be configured to list its linked or child accounts and have exclusive permissions for specific role ARNs within these child accounts.

To leverage this feature, the organization's administrator needs to add role-based cloud credentials for the master account on the Rafay platform. Once configured, other users can use these credentials to create and manage EKS clusters in different child AWS accounts.To leverage this capability, you need to configure the AWS backend accordingly.

AWS IAM Role on Master Account

aws master iam role

With the highligted configuration any user or role in the master AWS account will be able to assume the role of linked accounts like QA,stage or Test with appropriate configuration in these AWS Accounts.

Important

In the master role account , we require a trust relationship with the controller aws account. Additionally, the child role accounts assumed by the master role must also establish a trust relationship with the controller aws account.

Trust Relationship policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<controller aws account id>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "xxxexternal_idxxx"
                }
            }
        }
    ]
}

The controller aws account ID and external ID will be available when creating role-based cloud credentials on the controller.

Life Cycle Management for Amazon EKS Clusters

When creating an EKS cluster, users simply select the master cloud credentials, enable the cross role ARN checkbox, and choose the target role ARNs from a drop-down list (e.g., QA,Stage,Test). Rafay then utilizes the selected role to create and manage the EKS cluster in the respective AWS account.

Cluster Creation

Conclusion

The Cross Account Role ARN support in Rafay's Kubernetes Operations Platform Changes EKS cluster management across multiple AWS accounts. By streamlining the process and centralizing the credentials management, organizations can efficiently create and manage different linked accounts like QA, Stage, and Test. With Rafay's continuous commitment to improving the user experience, organizations can seamlessly Create EKS Clusters in their multi-account AWS Accounts by single click.

Try It Out:

Sign up for a free trial here and see it for yourself. Get Started includes a variety of hands-on exercises and documentation link that will help you understand this capabilities of Rafay's Kubernetes Operations Platform.