-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* adding doc for aws irsa Signed-off-by: Vishwanath Hiremath <[email protected]> * addressing comments Signed-off-by: Vishwanath Hiremath <[email protected]> * fixing checks issues Signed-off-by: Vishwanath Hiremath <[email protected]> * fix the checks Signed-off-by: Vishwanath Hiremath <[email protected]> * fix shotcodes Signed-off-by: Vishwanath Hiremath <[email protected]> * fix path Signed-off-by: Vishwanath Hiremath <[email protected]> * adding new word to dict Signed-off-by: Vishwanath Hiremath <[email protected]> * addressing comments Signed-off-by: Vishwanath Hiremath <[email protected]> * Apply suggestions from code review Signed-off-by: Reshma Abdul Rahim <[email protected]> --------- Signed-off-by: Vishwanath Hiremath <[email protected]> Signed-off-by: Reshma Abdul Rahim <[email protected]> Co-authored-by: Reshma Abdul Rahim <[email protected]>
- Loading branch information
1 parent
081669f
commit 8e5cfd1
Showing
7 changed files
with
148 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+97.2 KB
...uides/operations/providers/aws-provider/howto-aws-provider-irsa/create-role.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+36.7 KB
...ides/operations/providers/aws-provider/howto-aws-provider-irsa/get-role-arn.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
137 changes: 137 additions & 0 deletions
137
...ntent/guides/operations/providers/aws-provider/howto-aws-provider-irsa/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
--- | ||
type: docs | ||
title: "How-To: Configure the AWS cloud provider with IAM Roles for Service Accounts (IRSA)" | ||
linkTitle: "AWS provider with IRSA" | ||
description: "Learn how to configure the AWS provider with IAM Roles for Service Accounts(IRSA) for your Radius Environment" | ||
weight: 200 | ||
categories: "How-To" | ||
tags: ["AWS"] | ||
--- | ||
|
||
The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. It can be configured: | ||
|
||
- [Interactively via `rad init`](#interactive-configuration) | ||
- [Manually via `rad env update` and `rad credential register`](#manual-configuration) | ||
|
||
## Prerequisites | ||
|
||
- [AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) and an [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) | ||
- [Setup AWS CLI with your AWS credentials. ](https://docs.aws.amazon.com/cli/latest/reference/configure/) | ||
- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) | ||
- [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}) | ||
- You will need the cluster's OIDC Issuer URL. [EKS Example](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) | ||
- [Create an IAM Policy] (https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) | ||
|
||
|
||
## Setup the AWS IAM Roles for Service Accounts(IRSA) for Radius | ||
|
||
To authorize Radius to connect to AWS using AWS IAM Roles for Service Accounts(IRSA), you should assign IAM roles to Kubernetes service accounts. | ||
To associate an IAM role with a Kubernetes service account Create an IAM role and associate it with a Kubernetes service account. | ||
- Go to Identity and Access Management (IAM) on AWS portal and create a new role. | ||
{{< image src="./create-role.png" width=500 alt="Screenshot of Create Role page in AWS portal" >}} | ||
- Select `Trusted entity type` as `Web Identity` and `Identity Provider` as the cluster OIDC url. | ||
{{< image src="./select-trust-entity.png" width=500 alt="Screenshot of options to pass while selecting trust entity." >}} | ||
- Select the created IAM policy to attach to your new role. | ||
- Add `Role Name` and create role using the default trust policy. | ||
- Update the Trust Policy to match to the below format. | ||
``` | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-url>" | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringEquals": { | ||
"<oidc-url>:aud": "sts.amazonaws.com", | ||
"<oidc-url>:sub": "system:serviceaccount:radius-system:ucp" | ||
} | ||
} | ||
}, | ||
{ | ||
"Sid": "Statement1", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": "arn:aws:iam::<account-id>:oidc-provider/<oidc-url>" | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringEquals": { | ||
"<oidc-url>:aud": "sts.amazonaws.com", | ||
"<oidc-url>:sub": "system:serviceaccount:radius-system:applications-rp" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
``` | ||
Now that the setup is complete, you can install Radius with AWS IRSA enabled. | ||
## Interactive configuration | ||
1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): | ||
```bash | ||
rad init --full | ||
``` | ||
|
||
1. Follow the prompts, specifying: | ||
- **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) | ||
- **Add an AWS provider** | ||
1. Select the "IRSA" option | ||
2. Enter IAM Role ARN. | ||
Find the ARN from the role created in the setup step. | ||
{{< image src="./get-role-arn.png" width=500 alt="Screenshot of role details to get role ARN." >}} | ||
3. Confirm the AWS account ID or provide the account ID you would like to use. | ||
4. Select a region to deploy your AWS resources to. | ||
- **Environment name** - The name of the environment to create | ||
|
||
You should see the following output: | ||
|
||
``` | ||
Initializing Radius. This may take a minute or two... | ||
✅ Install Radius {{< param version >}} | ||
- Kubernetes cluster: k3d-k3s-default | ||
- Kubernetes namespace: radius-system | ||
- AWS credential: IRSA | ||
- IAM Role ARN: arn:aws:iam::myAccountID:role/radius-role-new | ||
✅ Create new environment default | ||
- Kubernetes namespace: default | ||
- AWS: account myAccountID and region us-east-2 | ||
✅ Update local configuration | ||
Initialization complete! Have a RAD time 😎 | ||
``` | ||
## Manual configuration | ||
1. Use [`rad install kubernetes`]({{< ref rad_install_kubernetes >}}) to install Radius with AWS AWS IAM Roles for Service Accounts(IRSA) enabled: | ||
```bash | ||
rad install kubernetes --set global.aws.irsa.enabled=true | ||
``` | ||
1. Create your resource group and environment: | ||
```bash | ||
rad group create default | ||
rad env create default | ||
``` | ||
1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your your AWS region and AWS account ID: | ||
```bash | ||
rad env update myEnvironment --aws-region myAwsRegion --aws-account-id myAwsAccountId | ||
``` | ||
1. Use [`rad credential register aws irsa`]({{< ref rad_credential_register_aws_irsa >}}) to add the AWS IRSA credentials: | ||
```bash | ||
rad credential register aws irsa --iam-role myRoleARN | ||
``` | ||
Radius will use the provided roleARN for all interactions with AWS, including Bicep and Recipe deployments. |
Binary file added
BIN
+225 KB
...erations/providers/aws-provider/howto-aws-provider-irsa/select-trust-entity.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.