Configure the EKS Cluster with the AWS policy and IAM role

JFrog Installation & Setup Documentation
Content Type
Installation & Setup
ft:sourceType
Paligo

Before you configure the cluster and run the operator, you need to decide on the EKS namespace and the EKS service account on which you want to apply the policy and run the secret rotator operator.

  1. Run the following command to export the names of namespace and service account for use in the procedure.

    export NAMESPACE=<namespace where the passwordless access is to be configured>
export SERVICE_ACCOUNT_NAME=<service account where the passwordless access is to be configured>

  2. Run the following command to get the details of the OIDC provider in the EKS cluster

    oidc_provider=$(aws eks describe-cluster --name <EKS cluster name> --region <EKS region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

  3. Run the following command to get the details of the account ID in the EKS cluster

    account_id=$(aws sts get-caller-identity --query "Account" --output text)

  4. Create the trust-relationship.json file with the following contents.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account id>:oidc-provider/<OIDC provider>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
         "<OIDC provider>:aud": "sts.amazonaws.com",
          "<OIDC provider>:sub": "system:serviceaccount:<namespace>:<service account>"
        }
      }
    }
  ]
}

    You must enter the actual values of account id , OIDC provider, and service account in the JSON file and not variable names.

  5. Run the following command to create the IAM role.

    aws iam create-role --role-name <IAM role name> --assume-role-policy-document file://trust-relationship.json --description "my-role-description"  --max-session-duration <token expiration in seconds>

    The maximum value that you can set for max-session-duration is 14400 (12 hours).

  6. Create a policy JSON file that allows only GET Caller Identity.

    my-policy.json:
{
	"Version": "2012-10-17",
	"Statement": [
		{
               "Effect": "Allow",
		"Action": "sts:GetCallerIdentity",
		"Resource": "<ARN of the IAM role>"
 		},
              {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Action": ["iam:GetRole"],
        "Resource": ["<ARN of the IAM role>"]  
              }
	]
}

    Set the resource names with the details of the IAM role - arn:aws:iam::<your accountnumber>:role/<IAM role name that you created>.

  7. Run the following command to create the AWS policy.

    aws iam create-policy --policy-name my-policy --policy-document file://my-policy.json

  8. Run the following command to attach the IAM role to the AWS policy.

    aws iam attach-role-policy --role-name <IAM role name> --policy-arn=arn:aws:iam::$account_id:policy/<policy name>

  9. Create OpenID Connect (OIDC) identity providers in AWS.

    Enter the value of $oidc_provider as the Provider URL.

    oidc_provider=$(aws eks describe-cluster --name <EKS cluster name> --region <EKS region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

    Enter sts.amazonaws.com as the Audience.

    Ensure that you Get Thumbprint when you create the OIDC identity provider.