AWS Connection Configuration¶
For this scenario to work, the following two conditions must be met:
OpeNgine operator (a person doing the installation of OpeNgine) is an Owner of the AWS account or has administrative privileges on AWS account.
OpeNgine programmatic access user is eligible to be assigned all needed roles.
Step 1. Configure programmatic access user.¶
Sign in to https://console.aws.amazon.com with your user account.
Note down your AWS Account Id (Account -> My account -> Account Id)
Select your Region and note down region id
Create programmatic access user and group using this instruction or following command, node down AccessKeyId and SecretAccessKey from last command output
aws iam create-user --user-name OpeNgineSA --tags Key=Name,Value=OpeNgine
aws iam create-group --group-name OpeNgineSAGroup
aws iam add-user-to-group --user-name OpeNgineSA --group-name OpeNgineSAGroup
aws iam create-access-key --user-name OpeNgineSA
Step 2. Grant all needed permission to user¶
Create file policy with following content
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:*", "Resource": "*" } ] }
Create policy with EKS admin permission
aws iam create-policy --policy-name OpeNgineEKSAdmin --policy-document file://policy
Attach policy to OpeNgineEKSAdmin group
aws iam attach-group-policy --policy-arn Arn-value-from-last-command --group-name OpeNgineSAGroup
Create file for KMS policy
cat > kms-policy <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:Describe*", "kms:GenerateRandom", "kms:Get*", "kms:List*", "kms:TagResource", "kms:UntagResource", "kms:UpdateKeyDescription", "kms:CreateGrant", "kms:RevokeGrant", "kms:ScheduleKeyDeletion" ], "Resource": "*" } ] } EOF
Create kms policy
aws iam create-policy --policy-name OpeNgineKMSAdmin --policy-document file://kms-policy
Attach policy to OpeNgineEKSAdmin group
aws iam attach-group-policy --policy-arn Arn-value-from-last-command --group-name OpeNgineSAGroup
Attach rest needed policy to OpeNgineEKSAdmin group
aws iam attach-group-policy --policy-arn Arn-value-from-last-command --group-name OpeNgineSAGroup aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --group-name OpeNgineSAGroup aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonVPCFullAccess --group-name OpeNgineSAGroup aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --group-name OpeNgineSAGroup aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser --group-name OpeNgineSAGroup
Step 2. Setup environment for OpeNgine provisioning¶
Configure aws cli with new created user, use AccessKeyId and SecretAccessKey from Step 1
aws configure
export environment variables using AWS Account Id, AWS Region, AccessKeyId and SecretAccessKey from Step 1
export AWS_ACCESS_KEY_ID="AccessKeyId" export AWS_SECRET_ACCESS_KEY="SecretAccessKey" export AWS_ACCOUNT_ID="AWS account ID" export AWS_DEFAULT_REGION="AWS region"