feat: (PSKD-904) Support credentials when assuming an IAM role #319
Conversation
Signed-off-by: David.Houck <[email protected]>
Signed-off-by: David.Houck <[email protected]>
Signed-off-by: David.Houck <[email protected]>
| @@ -266,6 +266,8 @@ Custom policy: | |||
| | autoscaling_enabled | Enable cluster autoscaling | bool | true | | | |||
| | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` | | |||
| | cluster_api_mode | Public or private IP for the cluster api| string|"public"|Valid Values: "public", "private" | | |||
| | authentication_mode | The authentication mode for the EKS cluster.| string|"API_AND_CONFIG_MAP"| Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP | | |||
| | access_entry_role_arns | Create an EKS access entry associated with the AmazonEKSClusterAdminPolicy for each existing IAM role ARN specified in this list. | list of strings | | **Note:** The assumed-role used to authenticate to Terraform should not be included this list. The format role ARNs take is: "arn:aws:iam::<Subscription_ID>:role/<rolename>"| | |||
There was a problem hiding this comment.
< Above, in the IAM section, we have a first reference to the abbreviation "ARN." It needs to be expanded there, so please make this change:
from cluster_iam_role_arn | ARN of the pre-existing IAM role for the EKS cluster
to: cluster_iam_role_arn | Amazon Resource Name (ARN) of the pre-existing IAM role for the EKS cluster >
There was a problem hiding this comment.
applied, the upcoming commit will contain the update for your review
| @@ -266,6 +266,8 @@ Custom policy: | |||
| | autoscaling_enabled | Enable cluster autoscaling | bool | true | | | |||
| | ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` | | |||
| | cluster_api_mode | Public or private IP for the cluster api| string|"public"|Valid Values: "public", "private" | | |||
| | authentication_mode | The authentication mode for the EKS cluster.| string|"API_AND_CONFIG_MAP"| Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP | | |||
| | access_entry_role_arns | Create an EKS access entry associated with the AmazonEKSClusterAdminPolicy for each existing IAM role ARN specified in this list. | list of strings | | **Note:** The assumed-role used to authenticate to Terraform should not be included this list. The format role ARNs take is: "arn:aws:iam::<Subscription_ID>:role/<rolename>"| | |||
There was a problem hiding this comment.
... for each of the existing IAM role ARNs that are included in this list.
...
Note: Do not include the assumed-role that is used to authenticate to Terraform in this list. The format for role ARNs resembles the following example: "arn:aws:iam::<Subscription_ID>:role/"
There was a problem hiding this comment.
each suggestion applied, the upcoming commit will contain the update for your review
| @@ -1,8 +1,8 @@ | |||
| # Authenticating Terraform to Access AWS | |||
|
|
|||
| In order to create and destroy AWS resources on your behalf, Terraform needs a AWS account that has sufficient permissions to perform all the actions defined in the Terraform manifest. You will need an AWS account IAM user that has at a minimum the permissions listed in [this policy](../../files/policies/devops-iac-eks-policy.json). | |||
| In order to create and destroy AWS resources on your behalf, Terraform needs to authenticate with credentials associated with an AWS account IAM user or credentials generated by assuming an IAM role that has sufficient permissions to perform all the actions defined in the Terraform manifest. You will need either an AWS account IAM user or an AWS IAM role that has at a minimum the permissions listed in [this policy](../../files/policies/devops-iac-eks-policy.json). | |||
There was a problem hiding this comment.
In order to create and destroy AWS resources on your behalf, Terraform needs credentials that enable it to authenticate to AWS. Two types of credentials are acceptable:
- Credentials that are associated with an AWS IAM user account, or
- Credentials that are generated by assuming an IAM role that has sufficient permissions to perform all the actions that are defined in the Terraform manifest.
You will need either an AWS IAM user account or an AWS IAM role that has at a minimum the permissions listed in this policy.
There was a problem hiding this comment.
suggestions applied, the upcoming commit will contain the updates for your review
| @@ -28,7 +28,9 @@ TF_VAR_aws_secret_access_key=<your_aws_secret_access_key> | |||
| TF_VAR_aws_session_token=<your_aws_session_token> | |||
| ``` | |||
|
|
|||
| > **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when using you are using temporary AWS credentials. See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information. | |||
| > **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when you are using temporary AWS credentials like those you would generate when assuming an IAM role. See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information. | |||
There was a problem hiding this comment.
temporary AWS credentials. For example, you might generate temporary AWS credentials when assuming an IAM role.
There was a problem hiding this comment.
applied, upcoming commit will contain the updates for your review
| > **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when using you are using temporary AWS credentials. See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information. | ||
| > **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when you are using temporary AWS credentials like those you would generate when assuming an IAM role. See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information. | ||
|
|
||
| See [AWS IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) for more information about temporary credentials when using an assumed role. In order for an IAM user to be able to assume a role, a trust relationship for that user needs to be created within the role, see [granting AssumeRole permission for a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html) for more information. |
There was a problem hiding this comment.
a trust relationship for that user must be created within the role. For more information, see granting AssumeRole permission for a role.
There was a problem hiding this comment.
applied, upcoming commit will contain the updates for your review
Changes
authentication_modeas a General configuration variableaccess_entry_role_arnsas a General configuration variable. Add behavior to create an admin level EKS access entry for each role ARN specified in this list of strings.