dudash/rosa-demo-secure-setup.md

## 1 change: 1 addition & 0 deletions rosa-demo-secure-setup.md
@@ -116,4 +116,5 @@ EOF

    ```
```


    `oc apply -f /tmp/new-service-account.json`
`oc apply -f /tmp/new-service-account.json`


    `oc annotate -n default serviceaccount new-s3-service-account eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate -n default serviceaccount new-s3-service-account eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`

## 32 changes: 18 additions & 14 deletions rosa-demo-secure-setup.md
@@ -46,26 +46,15 @@ S3_CUSTOM_POLICY_ARN=$(aws iam create-policy --policy-name ROSADemoS3Access \

    (ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)
(ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)


    Get your AWS account info:
Get your AWS account info:


    ```export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)```
```export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)```


    Get your cluster OIDC info:
Get your cluster OIDC info:

    ```
```

    export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")
export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")

    ```
```


    Create a new service account that will get this access:
Create a new service account that will get this access:

    ```
```

    cat <<EOF > /tmp/new-service-account.json
cat <<EOF > /tmp/new-service-account.json

    apiVersion: v1
apiVersion: v1

    kind: ServiceAccount
kind: ServiceAccount

    metadata:
metadata:

      name: builder-s3-service-account
  name: builder-s3-service-account

      namespace: default
  namespace: default

    EOF
EOF

    export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")
export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")

    ```
```


    `oc apply -f /tmp/new-service-account.json`
`oc apply -f /tmp/new-service-account.json`


    The trust policy defines the rules around who can assume this new role:
The trust policy defines the rules around who can assume this new role:

    ```
```

    cat <<EOF > /tmp/trustpolicy.json
cat <<EOF > /tmp/trustpolicy.json
@@ -112,4 +101,19 @@ Annotate the local namespace's service account(s) that will run pods needing S3


    `oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`


    `oc annotate serviceaccount default eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount default eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`

    `oc annotate serviceaccount default eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount default eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`


    Alternatively, create a new service account, annotate that, and reference it in your deployments:
Alternatively, create a new service account, annotate that, and reference it in your deployments:


    ```
```

    cat <<EOF > /tmp/new-service-account.json
cat <<EOF > /tmp/new-service-account.json

    apiVersion: v1
apiVersion: v1

    kind: ServiceAccount
kind: ServiceAccount

    metadata:
metadata:

      name: new-s3-service-account
  name: new-s3-service-account

      namespace: default
  namespace: default

    EOF
EOF

    ```
```


    `oc apply -f /tmp/new-service-account.json`
`oc apply -f /tmp/new-service-account.json`

    `oc annotate -n default serviceaccount new-s3-service-account eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate -n default serviceaccount new-s3-service-account eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`

## 2 changes: 1 addition & 1 deletion rosa-demo-secure-setup.md
@@ -1,5 +1,5 @@

    # Secure Demo Setup
# Secure Demo Setup

    This assumes you have a ROSA cluster and you have added an OIDC provider for the cluster. We will walk through the steps to auth ROSA pods to access specific S3 buckets. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, we will create a role (and associated federated identity) with some of the built-in ROSA service accounts.
This assumes you have a ROSA cluster and you have added an OIDC provider for the cluster. We will walk through the steps to auth ROSA pods to access specific S3 buckets. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, we will create a role (and associated federated identity) with some of the built-in ROSA service accounts.

    This assumes you have a ROSA cluster and you have added an OIDC provider for the cluster. We will walk through the steps to auth ROSA pods to access specific S3 buckets. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, we will create a IAM Policy and Role (with federated identity) and associate it to some of the built-in ROSA service accounts.
This assumes you have a ROSA cluster and you have added an OIDC provider for the cluster. We will walk through the steps to auth ROSA pods to access specific S3 buckets. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, we will create a IAM Policy and Role (with federated identity) and associate it to some of the built-in ROSA service accounts.


    ## Setup temp AWS creds
## Setup temp AWS creds

    `aws configure --profile rosa-demo`
`aws configure --profile rosa-demo`


## 1 change: 1 addition & 0 deletions rosa-demo-setup.md → rosa-demo-secure-setup.md
@@ -1,4 +1,5 @@

    # Secure Demo Setup
# Secure Demo Setup

    This assumes you have a ROSA cluster and you have added an OIDC provider for the cluster. We will walk through the steps to auth ROSA pods to access specific S3 buckets. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, we will create a role (and associated federated identity) with some of the built-in ROSA service accounts.
This assumes you have a ROSA cluster and you have added an OIDC provider for the cluster. We will walk through the steps to auth ROSA pods to access specific S3 buckets. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, we will create a role (and associated federated identity) with some of the built-in ROSA service accounts.


    ## Setup temp AWS creds
## Setup temp AWS creds

    `aws configure --profile rosa-demo`
`aws configure --profile rosa-demo`


## 2 changes: 1 addition & 1 deletion rosa-demo-setup.md
@@ -107,7 +107,7 @@ aws iam attach-role-policy \

       --policy-arn $S3_CUSTOM_POLICY_ARN
   --policy-arn $S3_CUSTOM_POLICY_ARN

    ```
```


    Annotate the service account(s) that will run the pods needing S3 access:
Annotate the service account(s) that will run the pods needing S3 access:

    Annotate the local namespace's service account(s) that will run pods needing S3 access:
Annotate the local namespace's service account(s) that will run pods needing S3 access:


    `oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`


## 4 changes: 3 additions & 1 deletion rosa-demo-setup.md
@@ -107,6 +107,8 @@ aws iam attach-role-policy \

       --policy-arn $S3_CUSTOM_POLICY_ARN
   --policy-arn $S3_CUSTOM_POLICY_ARN

    ```
```


    Annotate your service account:
Annotate your service account:

    Annotate the service account(s) that will run the pods needing S3 access:
Annotate the service account(s) that will run the pods needing S3 access:


    `oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`


    `oc annotate serviceaccount default eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount default eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`

## 2 changes: 1 addition & 1 deletion rosa-demo-setup.md
@@ -1,4 +1,4 @@

    # Demo Setup
# Demo Setup

    # Secure Demo Setup
# Secure Demo Setup


    ## Setup temp AWS creds
## Setup temp AWS creds

    `aws configure --profile rosa-demo`
`aws configure --profile rosa-demo`


## 14 changes: 1 addition & 13 deletions rosa-demo-setup.md
@@ -41,19 +41,7 @@ S3_CUSTOM_POLICY_ARN=$(aws iam create-policy --policy-name ROSADemoS3Access \

     echo $S3_CUSTOM_POLICY_ARN
 echo $S3_CUSTOM_POLICY_ARN

    ```
```


    ## Attach a S3 access policy for all workers (option 1)
## Attach a S3 access policy for all workers (option 1)

    Find existing IAM roles for the cluster:
Find existing IAM roles for the cluster:

    aws iam list-roles | grep -iE "rosa|ManagedOpenShift"
aws iam list-roles | grep -iE "rosa|ManagedOpenShift"


    ....*find worker role here to use below*....
....*find worker role here to use below*....


    ```
```

    aws iam attach-role-policy \
aws iam attach-role-policy \

      --role-name rosa-5cznr-r9gqb-worker-role \
  --role-name rosa-5cznr-r9gqb-worker-role \

      --policy-arn $S3_CUSTOM_POLICY_ARN
  --policy-arn $S3_CUSTOM_POLICY_ARN

      ```
  ```


    ## Create a new role and ROSA service account (option 2)
## Create a new role and ROSA service account (option 2)

    ## Create a new role and ROSA service account
## Create a new role and ROSA service account

    (ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)
(ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)


    Get your AWS account info:
Get your AWS account info:


## 1 change: 1 addition & 0 deletions rosa-demo-setup.md
@@ -120,4 +120,5 @@ aws iam attach-role-policy \

    ```
```


    Annotate your service account:
Annotate your service account:


    `oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`

## 7 changes: 5 additions & 2 deletions rosa-demo-setup.md
@@ -112,9 +112,12 @@ S3_ROLE=$(aws iam create-role \


    `echo $S3_ROLE`
`echo $S3_ROLE`


    Attach the role
Attach the role

    Attach the role:
Attach the role:

    ```
```

    aws iam attach-role-policy \
aws iam attach-role-policy \

       --role-name "ROSADemoS3AccessRole" \
   --role-name "ROSADemoS3AccessRole" \

       --policy-arn $S3_CUSTOM_POLICY_ARN
   --policy-arn $S3_CUSTOM_POLICY_ARN

    ```
```

    ```
```


    Annotate your service account:
Annotate your service account:

    `oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`
`oc annotate serviceaccount builder eks.amazonaws.com/role-arn=arn:aws:iam::$AWS_ACCOUNT_ID:role/ROSADemoS3AccessRole`

## 2 changes: 1 addition & 1 deletion rosa-demo-setup.md
@@ -92,7 +92,7 @@ cat <<EOF > /tmp/trustpolicy.json

       "Condition": {
   "Condition": {

         "StringEquals": {
     "StringEquals": {

           "${OIDC_PROVIDER}:sub": [
       "${OIDC_PROVIDER}:sub": [

             "system:serviceaccount:default:builder-s3-service-account"
         "system:serviceaccount:default:builder-s3-service-account"

             "system:serviceaccount:*:builder"
         "system:serviceaccount:*:builder"

           ]
       ]

         }
     }

       }
   }


## 4 changes: 1 addition & 3 deletions rosa-demo-setup.md
@@ -61,19 +61,17 @@ Get your AWS account info:


    Get your cluster OIDC info:
Get your cluster OIDC info:

    ```
```

    export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer| sed -e "s/^https:\/\///")
export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer| sed -e "s/^https:\/\///")

    export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")
export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")

    ```
```


    Create a new service account that will get this access:
Create a new service account that will get this access:

    ```
```

    cat <<EOF > /tmp/new-service-account.json
cat <<EOF > /tmp/new-service-account.json

    {
{

    apiVersion: v1
apiVersion: v1

    kind: ServiceAccount
kind: ServiceAccount

    metadata:
metadata:

      name: builder-s3-service-account
  name: builder-s3-service-account

      namespace: default
  namespace: default

    }
}

    EOF
EOF

    ```
```


## 2 changes: 1 addition & 1 deletion rosa-demo-setup.md
@@ -57,7 +57,7 @@ aws iam attach-role-policy \

    (ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)
(ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)


    Get your AWS account info:
Get your AWS account info:

    `export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)`
`export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)`

    ```export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)```
```export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)```


    Get your cluster OIDC info:
Get your cluster OIDC info:

    ```
```


## 117 changes: 116 additions & 1 deletion rosa-demo-setup.md
@@ -1,7 +1,122 @@

    # Setup temp AWS creds
# Setup temp AWS creds

    # Demo Setup
# Demo Setup


    ## Setup temp AWS creds
## Setup temp AWS creds

    `aws configure --profile rosa-demo`
`aws configure --profile rosa-demo`


    ....*answer questions*....
....*answer questions*....


    `export AWS_PROFILE=rosa-demo`
`export AWS_PROFILE=rosa-demo`


    ## Create a custom policy for S3 Access
## Create a custom policy for S3 Access

    `export S3_CUSTOM_BUCKET=sagemaker-us-east-1-546584748567`
`export S3_CUSTOM_BUCKET=sagemaker-us-east-1-546584748567`


    `export S3_FULL_POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3FullAccess`
`export S3_FULL_POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3FullAccess`


    ```
```

    cat <<EOF > /tmp/s3-policy.json
cat <<EOF > /tmp/s3-policy.json

    {
{

     "Version": "2012-10-17",
 "Version": "2012-10-17",

     "Statement": [
 "Statement": [

         {
     {

             "Sid": "Statement",
         "Sid": "Statement",

             "Effect": "Allow",
         "Effect": "Allow",

             "Action": [
         "Action": [

                 "s3:ListBucket",
             "s3:ListBucket",

                 "s3:GetObject"
             "s3:GetObject"

             ],
         ],

             "Resource": [
         "Resource": [

                 "arn:aws:s3:::$S3_CUSTOM_BUCKET/*",
             "arn:aws:s3:::$S3_CUSTOM_BUCKET/*",

                 "arn:aws:s3:::$S3_CUSTOM_BUCKET"
             "arn:aws:s3:::$S3_CUSTOM_BUCKET"

             ]
         ]

         }
     }

     ]
 ]

    }
}

    EOF
EOF

    ```
```


    ```
```

    S3_CUSTOM_POLICY_ARN=$(aws iam create-policy --policy-name ROSADemoS3Access \
S3_CUSTOM_POLICY_ARN=$(aws iam create-policy --policy-name ROSADemoS3Access \

       --policy-document file:///tmp/s3-policy.json \
   --policy-document file:///tmp/s3-policy.json \

       --query 'Policy.Arn' --output text)
   --query 'Policy.Arn' --output text)

     echo $S3_CUSTOM_POLICY_ARN
 echo $S3_CUSTOM_POLICY_ARN

    ```
```


    ## Attach a S3 access policy for all workers (option 1)
## Attach a S3 access policy for all workers (option 1)

    Find existing IAM roles for the cluster:
Find existing IAM roles for the cluster:

    aws iam list-roles | grep -iE "rosa|ManagedOpenShift"
aws iam list-roles | grep -iE "rosa|ManagedOpenShift"


    ....*find worker role here to use below*....
....*find worker role here to use below*....


    ```
```

    aws iam attach-role-policy \
aws iam attach-role-policy \

      --role-name rosa-5cznr-r9gqb-worker-role \
  --role-name rosa-5cznr-r9gqb-worker-role \

      --policy-arn $S3_CUSTOM_POLICY_ARN
  --policy-arn $S3_CUSTOM_POLICY_ARN

      ```
  ```


    ## Create a new role and ROSA service account (option 2)
## Create a new role and ROSA service account (option 2)

    (ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)
(ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)


    Get your AWS account info:
Get your AWS account info:

    `export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)`
`export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)`


    Get your cluster OIDC info:
Get your cluster OIDC info:

    ```
```

    export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer| sed -e "s/^https:\/\///")
export OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer| sed -e "s/^https:\/\///")

    ```
```


    Create a new service account that will get this access:
Create a new service account that will get this access:

    ```
```

    cat <<EOF > /tmp/new-service-account.json
cat <<EOF > /tmp/new-service-account.json

    {
{

    apiVersion: v1
apiVersion: v1

    kind: ServiceAccount
kind: ServiceAccount

    metadata:
metadata:

      name: builder-s3-service-account
  name: builder-s3-service-account

      namespace: default
  namespace: default

    }
}

    EOF
EOF

    ```
```


    `oc apply -f /tmp/new-service-account.json`
`oc apply -f /tmp/new-service-account.json`


    The trust policy defines the rules around who can assume this new role:
The trust policy defines the rules around who can assume this new role:

    ```
```

    cat <<EOF > /tmp/trustpolicy.json
cat <<EOF > /tmp/trustpolicy.json

    {
{

      "Version": "2012-10-17",
  "Version": "2012-10-17",

      "Statement": [
  "Statement": [

     {
 {

       "Effect": "Allow",
   "Effect": "Allow",

       "Principal": {
   "Principal": {

         "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
     "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"

       },
   },

       "Action": "sts:AssumeRoleWithWebIdentity",
   "Action": "sts:AssumeRoleWithWebIdentity",

       "Condition": {
   "Condition": {

         "StringEquals": {
     "StringEquals": {

           "${OIDC_PROVIDER}:sub": [
       "${OIDC_PROVIDER}:sub": [

             "system:serviceaccount:default:builder-s3-service-account"
         "system:serviceaccount:default:builder-s3-service-account"

           ]
       ]

         }
     }

       }
   }

     }
 }

      ]
  ]

    }
}

    EOF
EOF

    ```
```


    Create the new role:
Create the new role:

    ```
```

    S3_ROLE=$(aws iam create-role \
S3_ROLE=$(aws iam create-role \

       --role-name "ROSADemoS3AccessRole" \
   --role-name "ROSADemoS3AccessRole" \

       --assume-role-policy-document file:///tmp/trustpolicy.json \
   --assume-role-policy-document file:///tmp/trustpolicy.json \

       --query "Role.Arn" --output text)
   --query "Role.Arn" --output text)

    ```
```


    `echo $S3_ROLE`
`echo $S3_ROLE`


    Attach the role
Attach the role

    ```
```

    aws iam attach-role-policy \
aws iam attach-role-policy \

       --role-name "ROSADemoS3AccessRole" \
   --role-name "ROSADemoS3AccessRole" \

       --policy-arn $S3_CUSTOM_POLICY_ARN
   --policy-arn $S3_CUSTOM_POLICY_ARN

    ```
```

## 6 changes: 0 additions & 6 deletions rosa-demo-setup
@@ -1,6 +0,0 @@

    # Setup temp AWS creds
# Setup temp AWS creds

    aws configure --profile rosa-demo
aws configure --profile rosa-demo


    **answer questions**
**answer questions**


    export AWS_PROFILE=rosa-demo
export AWS_PROFILE=rosa-demo


## 7 changes: 7 additions & 0 deletions rosa-demo-setup.md
@@ -0,0 +1,7 @@

    # Setup temp AWS creds
# Setup temp AWS creds

    `aws configure --profile rosa-demo`
`aws configure --profile rosa-demo`


    ....*answer questions*....
....*answer questions*....


    `export AWS_PROFILE=rosa-demo`
`export AWS_PROFILE=rosa-demo`


## 6 changes: 6 additions & 0 deletions rosa-demo-setup
@@ -0,0 +1,6 @@

    # Setup temp AWS creds
# Setup temp AWS creds

    aws configure --profile rosa-demo
aws configure --profile rosa-demo


    **answer questions**
**answer questions**


    export AWS_PROFILE=rosa-demo
export AWS_PROFILE=rosa-demo