Skip to content

Commit

Permalink
Adding docs for AWS IRSA (#1190)
Browse files Browse the repository at this point in the history
* adding doc for aws irsa

Signed-off-by: Vishwanath Hiremath <[email protected]>

* addressing comments

Signed-off-by: Vishwanath Hiremath <[email protected]>

* fixing checks issues

Signed-off-by: Vishwanath Hiremath <[email protected]>

* fix the checks

Signed-off-by: Vishwanath Hiremath <[email protected]>

* fix shotcodes

Signed-off-by: Vishwanath Hiremath <[email protected]>

* fix path

Signed-off-by: Vishwanath Hiremath <[email protected]>

* adding new word to dict

Signed-off-by: Vishwanath Hiremath <[email protected]>

* addressing comments

Signed-off-by: Vishwanath Hiremath <[email protected]>

* Apply suggestions from code review

Signed-off-by: Reshma Abdul Rahim <[email protected]>

---------

Signed-off-by: Vishwanath Hiremath <[email protected]>
Signed-off-by: Reshma Abdul Rahim <[email protected]>
Co-authored-by: Reshma Abdul Rahim <[email protected]>
  • Loading branch information
vishwahiremat and Reshrahim authored Aug 15, 2024
1 parent 081669f commit 8e5cfd1
Show file tree
Hide file tree
Showing 7 changed files with 148 additions and 5 deletions.
1 change: 1 addition & 0 deletions .github/config/en-custom.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1263,6 +1263,7 @@ SecretReference
ProviderConfigPropertiesSecrets
upstreamed
irsa
roleARN
bicepconfig
Bicepconfig
postgres
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ Follow the prompts to install the [control plane services]({{< ref "/concepts/te
- **Namespace** - When an application is deployed, this is the namespace where your containers and other Kubernetes resources will be run. By default, this will be in the `default` namespace.
{{% alert title="💡 About namespaces" color="success" %}} When you initialize a Radius Kubernetes environment, Radius installs the control plane resources within the `radius-system` namespace in your cluster, separate from your applications. The namespace specified in this step will be used for your application deployments.
{{% /alert %}}
- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to [configure the AWS provider]({{< ref "/guides/operations/providers/aws-provider/howto-aws-provider" >}}) with the preferred identity.
- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to [configure the AWS provider]({{< ref "/guides/operations/providers/aws-provider/howto-aws-provider-access-key" >}}) with the preferred identity.
- **Environment name** - The name of the environment to create. You can specify any name with lowercase letters, such as `myawsenv`.

Select 'No' when asked to setup application in the current directory.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ type: docs
title: "How-To: Configure the AWS cloud provider with IAM Access key"
linkTitle: "AWS provider with IAM Access key"
description: "Learn how to configure the AWS provider with IAM Access key for your Radius Environment"
weight: 300
weight: 100
categories: "How-To"
tags: ["AWS"]
---
Expand All @@ -16,6 +16,7 @@ The AWS provider allows you to deploy and connect to AWS resources from a Radius
## Prerequisites

- [AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) and an [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html)
- [Setup AWS CLI with your AWS credentials. ](https://docs.aws.amazon.com/cli/latest/reference/configure/)
- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}})

## Interactive configuration
Expand All @@ -28,7 +29,11 @@ The AWS provider allows you to deploy and connect to AWS resources from a Radius

1. Follow the prompts, specifying:
- **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`).
- **Add an AWS provider** - Enter your IAM access key and secret key and pick a region to deploy your AWS resources to.
- **Add an AWS provider**
1. Select the "Access Key" option
2. Enter IAM access key and secret key.
3. Confirm the AWS account ID or provide the account ID you would like to use.
4. Select a region to deploy your AWS resources to.
- **Environment name** - The name of the environment to create.

You should see the following output:
Expand Down Expand Up @@ -62,7 +67,7 @@ The AWS provider allows you to deploy and connect to AWS resources from a Radius
1. Add your AWS cloud provider credentials:
```bash
rad credential register aws --access-key-id myAccessKeyId --secret-access-key mySecretAccessKey
rad credential register aws access-key --access-key-id myAccessKeyId --secret-access-key mySecretAccessKey
```
For more information on the command arguments visit [`rad credential register aws`]({{< ref rad_credential_register_aws >}})
For more information on the command arguments visit [`rad credential register aws access-key`]({{< ref rad_credential_register_aws_access-key >}})
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
---
type: docs
title: "How-To: Configure the AWS cloud provider with IAM Roles for Service Accounts (IRSA)"
linkTitle: "AWS provider with IRSA"
description: "Learn how to configure the AWS provider with IAM Roles for Service Accounts(IRSA) for your Radius Environment"
weight: 200
categories: "How-To"
tags: ["AWS"]
---

The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. It can be configured:

- [Interactively via `rad init`](#interactive-configuration)
- [Manually via `rad env update` and `rad credential register`](#manual-configuration)

## Prerequisites

- [AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) and an [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html)
- [Setup AWS CLI with your AWS credentials. ](https://docs.aws.amazon.com/cli/latest/reference/configure/)
- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}})
- [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}})
- You will need the cluster's OIDC Issuer URL. [EKS Example](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)
- [Create an IAM Policy] (https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)


## Setup the AWS IAM Roles for Service Accounts(IRSA) for Radius

To authorize Radius to connect to AWS using AWS IAM Roles for Service Accounts(IRSA), you should assign IAM roles to Kubernetes service accounts.
To associate an IAM role with a Kubernetes service account Create an IAM role and associate it with a Kubernetes service account.
- Go to Identity and Access Management (IAM) on AWS portal and create a new role.
{{< image src="./create-role.png" width=500 alt="Screenshot of Create Role page in AWS portal" >}}
- Select `Trusted entity type` as `Web Identity` and `Identity Provider` as the cluster OIDC url.
{{< image src="./select-trust-entity.png" width=500 alt="Screenshot of options to pass while selecting trust entity." >}}
- Select the created IAM policy to attach to your new role.
- Add `Role Name` and create role using the default trust policy.
- Update the Trust Policy to match to the below format.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-url>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-url>:aud": "sts.amazonaws.com",
"<oidc-url>:sub": "system:serviceaccount:radius-system:ucp"
}
}
},
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-url>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-url>:aud": "sts.amazonaws.com",
"<oidc-url>:sub": "system:serviceaccount:radius-system:applications-rp"
}
}
}
]
}
```
Now that the setup is complete, you can install Radius with AWS IRSA enabled.
## Interactive configuration
1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}):
```bash
rad init --full
```

1. Follow the prompts, specifying:
- **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
- **Add an AWS provider**
1. Select the "IRSA" option
2. Enter IAM Role ARN.
Find the ARN from the role created in the setup step.
{{< image src="./get-role-arn.png" width=500 alt="Screenshot of role details to get role ARN." >}}
3. Confirm the AWS account ID or provide the account ID you would like to use.
4. Select a region to deploy your AWS resources to.
- **Environment name** - The name of the environment to create

You should see the following output:

```
Initializing Radius. This may take a minute or two...
✅ Install Radius {{< param version >}}
- Kubernetes cluster: k3d-k3s-default
- Kubernetes namespace: radius-system
- AWS credential: IRSA
- IAM Role ARN: arn:aws:iam::myAccountID:role/radius-role-new
✅ Create new environment default
- Kubernetes namespace: default
- AWS: account myAccountID and region us-east-2
✅ Update local configuration
Initialization complete! Have a RAD time 😎
```
## Manual configuration
1. Use [`rad install kubernetes`]({{< ref rad_install_kubernetes >}}) to install Radius with AWS AWS IAM Roles for Service Accounts(IRSA) enabled:
```bash
rad install kubernetes --set global.aws.irsa.enabled=true
```
1. Create your resource group and environment:
```bash
rad group create default
rad env create default
```
1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your your AWS region and AWS account ID:
```bash
rad env update myEnvironment --aws-region myAwsRegion --aws-account-id myAwsAccountId
```
1. Use [`rad credential register aws irsa`]({{< ref rad_credential_register_aws_irsa >}}) to add the AWS IRSA credentials:
```bash
rad credential register aws irsa --iam-role myRoleARN
```
Radius will use the provided roleARN for all interactions with AWS, including Bicep and Recipe deployments.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 8e5cfd1

Please sign in to comment.