Credentials for EKS¶
With the Controller, you can fully automate the provisioning and ongoing lifecycle management of Amazon EKS clusters in all supported AWS regions.
With auto-provisioning, you can have a cluster operational in just a few clicks. In order to do this, you need to provide credentials that allow programmatic access to Amazon AWS.
Two types of credentials are supported.
Credential Type | Description |
---|---|
IAM Role | Strongly recommended for users of the SaaS Controller. This is the more secure option because (1) you do not have to create an IAM User for the controller, (2) there are no secrets to be managed by the SaaS Controller and (3) is in alignment with AWS's Security best practices and recommendations. |
IAM User | Suited and recommended for users of the self hosted Controller esp. on non AWS environments where IAM Roles are not possible. Configure an IAM user in AWS with programmatic access for the Controller in your AWS account. Enable it with programmatic access and configure the access key and secret in the Cloud Credential |
Important
AWS's Security Best Practices recommending IAM Role over IAM User for 3rd Party Access.
Option 1: Cluster Provisioning with AWS IAM Role¶
You will create a "Cloud Credential" which will be configured to use an IAM role for the Controller in your AWS account. Once created, you can reuse the cloud credential to provision as many clusters as necessary.
To configure an AWS IAM role, you will need the Controller's "AWS Account ID" and a "Unique External ID". You will also have to provide the Role ARN (Amazon Resource Name) for the AWS IAM Role before saving the Cloud Credential
Create Cloud Credential¶
- Login to the Console and select "Cloud Credentials" under Infrastructure
- Click New Credential and provide a unique name
- Select the Type Cluster Provisioning and Credential Type Role
- Provide Account ID, External ID and Role ARN available in the AWS Console
Refer Cluster Provisioning Credentials for AWS Credential setting - Click Save
Option 2: Cluster Provisioning with AWS IAM User¶
Create an "AWS IAM User" attached with a minimal IAM policy required for auto provisioning
Create Cloud Credential¶
- Login to the Console and select "Cloud Credentials" under Infrastructure
- Click New Credential and provide a unique name
- Select the Type Cluster Provisioning and Credential Type Access_Key
- Copy/Paste the Access Key and Secret Access Key from the AWS Console
Refer Cluster Provisioning Credentials for AWS Credential setting
- Click Save
Note: The Credential type is displayed in the Type column
Rotate Credential¶
It is sometimes necessary to replace an existing cloud credential with a new one. This can happen due to a variety of reasons, For example,
- Internal security policy for periodic rotation
- Need to change type of cloud credential
- Potential exposure requiring rotation
It is possible to perform an "in-place swap" of the cloud credential for an existing managed Amazon EKS cluster.
Existing Credential¶
Navigate to the "Cluster->Configuration" tab to view the "cloud credential" currently being used by the cluster. Both the "name" and "type" will be displayed.
Replace Credential¶
To swap the existing cloud credential with a new one, follow the steps below
- Create the new cloud credential
- Navigate to the "Cluster->Configuration" tab
- Click on "Edit" and select the replacement cloud credential from the dropdown
Any subsequent operations on the managed cluster will be performed using the "new cloud credential".
Sharing¶
Organizations can create and use "unique" cloud credentials per project. This approach can be useful if different cloud provider accounts need to be used in every project. This helps with "billing" and "isolation". However, this approach may not be practical for scenarios where the organization's security policies may require "centralization" of cloud credentials. For scenarios like this, organizations can "share" their cloud credentials with selected or all projects.
- Click on the "share" menu option
- Select the projects you would like to share the cloud credential with
The downstream projects that "inherit" the shared cloud credential can view and use the inherited cloud credentials. But, they are not allowed to edit/delete them.