sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/using-iam-roles-in-mgmt-cluster.md

sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/using-iam-roles-in-mgmt-cluster.md (about)

     1  # Using IAM roles in management cluster instead of AWS credentials
     2  
     3  ## Overview
     4  
     5  Sometimes users might want to use IAM roles to deploy management clusters. If the user already has a management cluster which was created using the AWS credentials, CAPA provides a way to use IAM roles instead of using these credentials.
     6  
     7  ## Pre-requisites
     8  User has a bootstrap cluster created with AWS credentials. These credentials can be temporary as well.
     9  To create temporary credentials, please follow [this doc](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html).
    10  
    11  We can verify whether this bootstrap cluster is using AWS credentials by checking the `capa-manager-bootstrap-credentials` secret created in `capa-system` namespace:
    12  ```bash
    13  kubectl get secret -n capa-system capa-manager-bootstrap-credentials -o=jsonpath='{.data.credentials}' | { base64 -d 2>/dev/null || base64 -D; }
    14  ```
    15  which will give output similar to below:
    16  ```bash
    17  [default]
    18  aws_access_key_id = <your-access-key>
    19  aws_secret_access_key = <your-secret-access-key>
    20  region = us-east-1
    21  
    22  aws_session_token = <session-token>
    23  ```
    24  
    25  ## Goal
    26  Create a management cluster which uses instance profiles (IAM roles) attached to EC2 instance.
    27  
    28  ## Steps for CAPA-managed clusters
    29  1. Create a workload cluster on existing bootstrap cluster. Refer [quick start guide](https://cluster-api.sigs.k8s.io/user/quick-start.html) for more details.
    30     Since only control-plane nodes have the required IAM roles attached, CAPA deployment should have the necessary tolerations for master (control-plane) node and node selector for master.
    31  > **Note:** A cluster with a single control plane node won’t be sufficient here due to the `NoSchedule` taint.
    32  
    33  3. Get the kubeconfig for the new target management cluster(created in previous step) once it is up and running.
    34  4. Zero the credentials CAPA controller started with, such that target management cluster uses empty credentials and not the previous credentials used to create bootstrap cluster using:
    35  ```bash
    36  clusterawsadm controller zero-credentials --namespace=capa-system
    37  ```
    38  For more details, please refer [zero-credentials doc](https://cluster-api-aws.sigs.k8s.io/clusterawsadm/clusterawsadm_controller_zero-credentials.html).
    39  5. Rollout and restart on capa-controller-manager deployment using:
    40  ```bash
    41  clusterawsadm controller rollout-controller --kubeconfig=kubeconfig --namespace=capa-system
    42  ```
    43  For more details, please refer [rollout-controller doc](https://cluster-api-aws.sigs.k8s.io/clusterawsadm/clusterawsadm_controller_rollout-controller.html).
    44  6. Use `clusterctl init` with the new cluster’s kubeconfig to install the provider components. For more details on preparing for init, please refer [clusterctl init doc](https://cluster-api.sigs.k8s.io/clusterctl/commands/init.html).
    45  7. Use `clusterctl move` to move the Cluster API resources from the bootstrap cluster to the target management cluster. For more details on preparing for move, please refer [clusterctl move doc](https://cluster-api.sigs.k8s.io/clusterctl/commands/move.html).
    46  8. Once the resources are moved to target management cluster successfully, `capa-manager-bootstrap-credentials` will be created as nil, and hence CAPA controllers will fall back to use the attached instance profiles.
    47  9. Delete the bootstrap cluster with the AWS credentials.