Credentials for EKS¶
With the Controller, you can fully automate the provisioning and ongoing lifecycle management of Amazon EKS clusters in all supported AWS regions.
With auto-provisioning, you can have a cluster operational in just a few clicks. In order to do this, you need to provide credentials that allow programmatic access to Amazon AWS.
Two types of credentials are supported.
| Credential Type | Description |
|---|---|
| IAM Role | Strongly recommended for users of the SaaS Controller. This is the more secure option because (1) you do not have to create an IAM User for the controller, (2) there are no secrets to be managed by the SaaS Controller and (3) is in alignment with AWS's Security best practices and recommendations. |
| IAM User | Suited and recommended for users of the self hosted Controller esp. on non AWS environments where IAM Roles are not possible. Configure an IAM user in AWS with programmatic access for the Controller in your AWS account. Enable it with programmatic access and configure the access key and secret in the Cloud Credential |
Important
AWS's Security Best Practices recommending IAM Role over IAM User for 3rd Party Access.
Option 1: AWS IAM Role¶
You will create a "Cloud Credential" which will be configured to use an IAM role for the Controller in your AWS account. Once created, you can reuse the cloud credential to provision as many clusters as necessary.
To configure an AWS IAM role, you will need the Controller's "AWS Account ID" and a "Unique External ID". You will also have to provide the Role ARN (Amazon Resource Name) for the AWS IAM Role before you can save the Cloud Credential
Step 1: Create Cloud Credential¶
- Login to the Console and click on Infrastructure
- Select "Cloud Credentials", Click on "New Credential" and provide a unique name.
- We will be using the provided "Account ID" and "External ID" in the AWS Console
We will come back and enter the ARN once - Once we have the ARN for the IAM Role, we will provide it here to create the cloud credential
Step 2: Create IAM Policy¶
- Sign into the AWS Console and navigate to the IAM service
- Create a new Policy, provide it with a name such as "Demos-EKS-Provisioning"
- Copy/Paste the JSON for the IAM Policy
- Review and save the policy
- Provide a name for the policy (e.g. rafay_eks_policy)
Step 3: Create IAM Role¶
- In the AWS Console and navigate to the IAM service
- Create a new Role, select another AWS Account as the Type
- Copy/Paste the Account ID from the Cloud Credential (Step 1)
- Enable "Require External ID" and copy/paste the External ID from the Cloud Credential (Step 1)
- Click on "Next:Permissions"
- Search for the Policy you created in Step 2 and select it
- Click on the newly created Role to view it
- Copy the Role ARN
Step 4: Save Cloud Credential¶
- Return to where you left off from Step 1
- Paste the Role ARN from Step 3 and Save
The Controller will perform a validation with AWS to ensure that the provided information is correct. Once the cloud credential is saved, the administrator can view metadata. The Credential type is displayed in the Type column.
Note
The "Credential Detail" shows the name of the IAM Role in the AWS Console.
Option 2: AWS IAM User¶
We will be creating an "AWS IAM User" attached with a minimal IAM policy required for auto provisioning.
Step 1: Create IAM Policy¶
- Sign into the AWS Console.
- Select "IAM' from Services
- Select "Policies"
- Click on "Add Policy"
- Click on "Create Policy"
- Copy/Paste the JSON for the IAM Policy
- Click on Review Policy
- Provide a name for the policy
Step 2: Create IAM User¶
To ensure all actions performed by the Controller can be audited, we recommend that customers create a new "AWS IAM User".
- Select "IAM' from Services
- Select "Users"
- Click on "Add User"
You will be presented with a "Guided Workflow"
- Provide a username
- Enable "Programmatic Access" for Access Type
- Click "Next:Permissions"
Step 3: Attach Permissions to User¶
Customers will want to limit the permissions they provide this IAM User. During auto-provisioning, the Controller automatically creates and configures required infrastructure.
- Click on "Attach Existing Policies Directly"
- Filter policies by the name of the policy you created in Step 1.
- Click on "Next:Tags" (Optional)
- Review the details and finalize
- Download the "CSV" containing the "Access Key ID" and "Secret Access Key"
Important
For security reasons, this information is not accessible later in AWS. Ensure that you do not skip this step because we will require this information when we create a Cloud Credential in the Console.
Step 4: Save Cloud Credential¶
- Login into the Console and click on Infrastructure
- Select "Cloud Credentials", Click on "New Credential" and provide a unique name.
- Copy/Paste the Access Key and Secret Access Key from Step 3 into the provided fields and Save. Note that the Credential type is displayed in the Type column.
Rotate Credential¶
It is sometimes necessary to replace an existing cloud credential with a new one. This can happen due to a variety of reasons, For example,
- Internal security policy for periodic rotation
- Need to change type of cloud credential
- Potential exposure requiring rotation
It is possible to perform an "in-place swap" of the cloud credential for an existing managed Amazon EKS cluster.
Existing Credential¶
Navigate to the "Cluster->Configuration" tab to view the "cloud credential" currently being used by the cluster. Both the "name" and "type" will be displayed.
Replace Credential¶
To swap the existing cloud credential with a new one, follow the steps below
- Create the new cloud credential
- Navigate to the "Cluster->Configuration" tab
- Click on "Edit" and select the replacement cloud credential from the dropdown
Any subsequent operations on the managed cluster will be performed using the "new cloud credential".
Sharing¶
Organizations can create and use "unique" cloud credentials per project. This approach can be useful if different cloud provider accounts need to be used in every project. This helps with "billing" and "isolation". However, this approach may not be practical for scenarios where the organization's security policies may require "centralization" of cloud credentials. For scenarios like this, organizations can "share" their cloud credentials with selected or all projects.
- Click on the "share" menu option
- Select the projects you would like to share the cloud credential with
The downstream projects that "inherit" the shared cloud credential can view and use the inherited cloud credentials. But, they are not allowed to edit/delete them.
