sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/specify-management-iam-role.md

sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/specify-management-iam-role.md (about)

     1  # Specifying the IAM Role to use for Management Components
     2  
     3  ## Prerequisites
     4  
     5  To be able to specify the IAM role that the management components should run as your cluster must be set up with the ability to assume IAM roles using one of the following solutions:
     6  
     7  * [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
     8  * [Kiam](https://github.com/uswitch/kiam)
     9  * [Kube2iam](https://github.com/jtblin/kube2iam)
    10  
    11  ## Setting IAM Role
    12  
    13  Set the `AWS_CONTROLLER_IAM_ROLE` environment variable to the ARN of the IAM role to use when performing the `clusterctl init` command.
    14  
    15  For example:
    16  
    17  ```bash
    18  export AWS_CONTROLLER_IAM_ROLE=arn:aws:iam::1234567890:role/capa-management-components
    19  clusterctl init --infrastructure=aws
    20  ```
    21  
    22  ## IAM Role Trust Policy
    23  
    24  ### IAM Roles for Service Accounts
    25  
    26  When creating the IAM role, the following trust policy will need to be used with the `AWS_ACCOUNT_ID`, `AWS_REGION` and `OIDC_PROVIDER_ID` environment variables replaced.
    27  
    28  ```json
    29  {
    30    "Version": "2012-10-17",
    31    "Statement": [
    32      {
    33        "Sid": "",
    34        "Effect": "Allow",
    35        "Principal": {
    36          "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/oidc.eks.${AWS_REGION}.amazonaws.com/id/${OIDC_PROVIDER_ID}"
    37        },
    38        "Action": "sts:AssumeRoleWithWebIdentity",
    39        "Condition": {
    40          "ForAnyValue:StringEquals": {
    41            "oidc.eks.${AWS_REGION}.amazonaws.com/id/${OIDC_PROVIDER_ID}:sub": [
    42              "system:serviceaccount:capa-system:capa-controller-manager",
    43              "system:serviceaccount:capi-system:capi-controller-manager",
    44              "system:serviceaccount:capa-eks-control-plane-system:capa-eks-control-plane-controller-manager",
    45              "system:serviceaccount:capa-eks-bootstrap-system:capa-eks-bootstrap-controller-manager",
    46            ]
    47          }
    48        }
    49      }
    50    ]
    51  }
    52  ```
    53  
    54  If you plan to use the `controllers.cluster-api-provider-aws.sigs.k8s.io` role created by clusterawsadm then you'll need to add the following to your AWSIAMConfiguration:
    55  
    56  ```yaml
    57  apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
    58  kind: AWSIAMConfiguration
    59  spec:
    60    clusterAPIControllers:
    61      disabled: false
    62      trustStatements:
    63      - Action:
    64        - "sts:AssumeRoleWithWebIdentity"
    65        Effect: "Allow"
    66        Principal:
    67          Federated:
    68          - "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/oidc.eks.${AWS_REGION}.amazonaws.com/id/${OIDC_PROVIDER_ID}"
    69        Condition:
    70          "ForAnyValue:StringEquals":
    71            "oidc.eks.${AWS_REGION}.amazonaws.com/id/${OIDC_PROVIDER_ID}:sub":
    72              - system:serviceaccount:capa-system:capa-controller-manager
    73              - system:serviceaccount:capa-eks-control-plane-system:capa-eks-control-plane-controller-manager # Include if also using EKS
    74  ```
    75  
    76  With this you can then set `AWS_CONTROLLER_IAM_ROLE` to `arn:aws:iam::${AWS_ACCOUNT_ID}:role/controllers.cluster-api-provider-aws.sigs.k8s.io`
    77  
    78  ### Kiam / kube2iam
    79  
    80  When creating the IAM role, you will need to apply the `kubernetes.io/cluster/${CLUSTER_NAME}/role": "enabled"` tag to the role and use the following trust policy with the `AWS_ACCOUNT_ID` and `CLUSTER_NAME` environment variables correctly replaced.
    81  
    82  ```json
    83  {
    84    "Version": "2012-10-17",
    85    "Statement": [
    86      {
    87        "Sid": "",
    88        "Effect": "Allow",
    89        "Principal": {
    90          "Service": "ec2.amazonaws.com"
    91        },
    92        "Action": "sts:AssumeRole"
    93      },
    94      {
    95        "Sid": "",
    96        "Effect": "Allow",
    97        "Principal": {
    98          "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${CLUSTER_NAME}.worker-node-role"
    99        },
   100        "Action": "sts:AssumeRole"
   101      }
   102    ]
   103  }
   104  ```
   105  
   106  If you plan to use the `controllers.cluster-api-provider-aws.sigs.k8s.io` role created by clusterawsadm then you'll need to add the following to your AWSIAMConfiguration:
   107  
   108  ```yaml
   109  apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
   110  kind: AWSIAMConfiguration
   111  spec:
   112    clusterAPIControllers:
   113      disabled: false
   114      trustStatements:
   115        - Action:
   116          - "sts:AssumeRole"
   117          Effect: "Allow"
   118          Principal:
   119            Service:
   120            - "ec2.amazonaws.com"
   121        - Action:
   122          - "sts:AssumeRole"
   123          Effect: "Allow"
   124          Principal:
   125            AWS:
   126            - "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${CLUSTER_NAME}.worker-node-role"
   127  ```
   128  
   129  With this you can then set `AWS_CONTROLLER_IAM_ROLE` to `arn:aws:iam::${AWS_ACCOUNT_ID}:role/controllers.cluster-api-provider-aws.sigs.k8s.io`