AWS Connection Configuration

For this scenario to work, the following two conditions must be met:

  1. OpeNgine operator (a person doing the installation of OpeNgine) is an Owner of the AWS account or has administrative privileges on AWS account.

  2. OpeNgine programmatic access user is eligible to be assigned all needed roles.

Step 1. Configure programmatic access user.

  • Sign in to https://console.aws.amazon.com with your user account.

  • Note down your AWS Account Id (Account -> My account -> Account Id)

  • Select your Region and note down region id

  • Create programmatic access user and group using this instruction or following command, node down AccessKeyId and SecretAccessKey from last command output

aws iam create-user --user-name OpeNgineSA --tags Key=Name,Value=OpeNgine
aws iam create-group --group-name OpeNgineSAGroup
aws iam add-user-to-group --user-name OpeNgineSA --group-name OpeNgineSAGroup
aws iam create-access-key --user-name OpeNgineSA

Step 2. Grant all needed permission to user

  • Create file policy with following content

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": "eks:*",
              "Resource": "*"
          }
      ]
    }
    
  • Create policy with EKS admin permission

    aws iam create-policy --policy-name OpeNgineEKSAdmin --policy-document file://policy
    
  • Attach policy to OpeNgineEKSAdmin group

    aws iam attach-group-policy --policy-arn Arn-value-from-last-command --group-name OpeNgineSAGroup
    
  • Create file for KMS policy

    cat > kms-policy <<EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:CreateAlias",
                    "kms:CreateKey",
                    "kms:DeleteAlias",
                    "kms:Describe*",
                    "kms:GenerateRandom",
                    "kms:Get*",
                    "kms:List*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:UpdateKeyDescription",
                    "kms:CreateGrant",
                    "kms:RevokeGrant",
                    "kms:ScheduleKeyDeletion"
                ],
                "Resource": "*"
            }
        ]
    }
    EOF
    
  • Create kms policy

    aws iam create-policy --policy-name OpeNgineKMSAdmin --policy-document file://kms-policy
    
  • Attach policy to OpeNgineEKSAdmin group

    aws iam attach-group-policy --policy-arn Arn-value-from-last-command --group-name OpeNgineSAGroup
    
  • Attach rest needed policy to OpeNgineEKSAdmin group

    aws iam attach-group-policy --policy-arn Arn-value-from-last-command --group-name OpeNgineSAGroup
    aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --group-name OpeNgineSAGroup
    aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonVPCFullAccess --group-name OpeNgineSAGroup
    aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --group-name OpeNgineSAGroup
    aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser --group-name OpeNgineSAGroup
    

Step 2. Setup environment for OpeNgine provisioning

  • Configure aws cli with new created user, use AccessKeyId and SecretAccessKey from Step 1

    aws configure
    
  • export environment variables using AWS Account Id, AWS Region, AccessKeyId and SecretAccessKey from Step 1

    export AWS_ACCESS_KEY_ID="AccessKeyId"
    export AWS_SECRET_ACCESS_KEY="SecretAccessKey"
    export AWS_ACCOUNT_ID="AWS account ID"
    export AWS_DEFAULT_REGION="AWS region"