Skip to content

Instantly share code, notes, and snippets.

@dudash

dudash/rosa-demo-secure-setup.md

Last active September 8, 2022 00:43
Download ZIP
Steps to setup a ROSA secure config demo
Raw
rosa-demo-setup.md

Demo Setup

Setup temp AWS creds

aws configure --profile rosa-demo

....answer questions....

export AWS_PROFILE=rosa-demo

Create a custom policy for S3 Access

export S3_CUSTOM_BUCKET=sagemaker-us-east-1-546584748567

export S3_FULL_POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3FullAccess

cat <<EOF > /tmp/s3-policy.json
{
 "Version": "2012-10-17",
 "Statement": [
     {
         "Sid": "Statement",
         "Effect": "Allow",
         "Action": [
             "s3:ListBucket",
             "s3:GetObject"
         ],
         "Resource": [
             "arn:aws:s3:::$S3_CUSTOM_BUCKET/*",
             "arn:aws:s3:::$S3_CUSTOM_BUCKET"
         ]
     }
 ]
}
EOF

S3_CUSTOM_POLICY_ARN=$(aws iam create-policy --policy-name ROSADemoS3Access \
   --policy-document file:///tmp/s3-policy.json \
   --query 'Policy.Arn' --output text)
 echo $S3_CUSTOM_POLICY_ARN

Create a new role and ROSA service account

(ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)

Get your AWS account info: export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

Get your cluster OIDC info:

export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")

Create a new service account that will get this access:

cat <<EOF > /tmp/new-service-account.json
apiVersion: v1
kind: ServiceAccount
metadata:
  name: builder-s3-service-account
  namespace: default
EOF

oc apply -f /tmp/new-service-account.json

The trust policy defines the rules around who can assume this new role:

cat <<EOF > /tmp/trustpolicy.json
{
  "Version": "2012-10-17",
  "Statement": [
 {
   "Effect": "Allow",
   "Principal": {
     "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
   },
   "Action": "sts:AssumeRoleWithWebIdentity",
   "Condition": {
     "StringEquals": {
       "${OIDC_PROVIDER}:sub": [
         "system:serviceaccount:*:builder"
       ]
     }
   }
 }
  ]
}
EOF

Create the new role:

S3_ROLE=$(aws iam create-role \
   --role-name "ROSADemoS3AccessRole" \
   --assume-role-policy-document file:///tmp/trustpolicy.json \
   --query "Role.Arn" --output text)

echo $S3_ROLE

Attach the role:

aws iam attach-role-policy \
   --role-name "ROSADemoS3AccessRole" \
   --policy-arn $S3_CUSTOM_POLICY_ARN

Annotate your service account:

oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment