Using AWS IAM Roles with K10
AWS IAM Roles allow delegating access to AWS resources to a trusted entity (e.g., an AWS user or a Kubernetes Service Account). K10 can be configured to access AWS infrastructure using an IAM Role.
To use a role with K10, an IAM Policy that describes the permissions the role will grant needs to be created first. Second, a role with this policy attached needs to be created. Finally, the trusted entities (IAM User or Kubernetes Service Account) that can assume that role need to be configured.
Creating an IAM Policy
An IAM Policy specifies permissions the role will grant. The set of permissions needed by K10 for integrating against different AWS services are described here.
The example below is a policy definition that grants permissions required to snapshot and restore EBS volumes and migrate them across Kubernetes clusters.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeSnapshotAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:ResourceTag/*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteSnapshot",
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "Kasten: Snapshot*"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketPolicy",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucketPolicy",
"s3:GetBucketLocation",
"s3:GetBucketPolicy"
],
"Resource": "*"
}
]
}
Note
To enable AWS KMS encryption additional policies are required. Refer to Configuring K10 encryption for more information.
K10 installs with IAM Roles
Option I: Using IAM Role With a Kubernetes Service Account (EKS)
Enabling OIDC on your EKS Cluster
Supporting IAM Roles with Kubernetes Service Accounts (SAs) requires
the IAM Roles for Service Accounts feature that is available for AWS
EKS clusters. Refer to Enabling IAM Roles for Service Accounts on
your Cluster
for complete instructions to enable this feature. If you have
eksctl
available, you can run:
$ eksctl utils associate-iam-oidc-provider --cluster ${EKS_CLUSTER_NAME} --approve
Creating an IAM Role for K10 Install
To create an IAM Role that delegates permissions to a Kubernetes
Service Account, see the AWS documentation on Creating an IAM Role
and Policy for your Service Account.
Use kasten-io
(or the namespace you installed K10 in) for
the SERVICE_ACCOUNT_NAMESPACE
and
k10-k10
for the SERVICE_ACCOUNT_NAME
in the instructions.
Using an IAM Role for K10 Install
Once the AWS Role is created, install K10 with the Amazon Resource Name (ARN) of the role. Note that no AWS credentials are required with this approach.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.awsIamRole="${AWS_IAM_ROLE_ARN}"
Option II: Using an IAM Role With an IAM User
To create an IAM Role that delegates permissions to an IAM User, see the AWS documentation on Creating a Role to Delegate Permissions to an IAM User.
Note
Once the IAM Role is created, the IAM User must also be granted permissions to assume the role programmatically. For more information about this step, see Granting a User Permissions to Switch Roles.
Once the AWS IAM Role is created, configure K10 with the
AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
for the IAM User
along with the AWS ARN of the role.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \
--set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}" \
--set secrets.awsIamRole="${AWS_IAM_ROLE_ARN}"