-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amazon S3: buckets with IAM role for K8s service accounts #27
Changes from 7 commits
18bd032
2d468c8
7c8f567
1b88c44
65b1b7c
d3b11ec
e12aaf0
800b899
d73b8b4
88614e6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
--- | ||
|
||
# | ||
# Public S3 assets bucket | ||
# | ||
|
||
- name: "create public bucket {{ k8s_s3_public_bucket }}" | ||
s3_bucket: | ||
name: "{{ k8s_s3_public_bucket }}" | ||
state: present | ||
versioning: yes | ||
region: "{{ k8s_s3_region }}" | ||
|
||
# | ||
# Private S3 assets bucket | ||
# | ||
|
||
- name: "create private bucket {{ k8s_s3_private_bucket }}" | ||
s3_bucket: | ||
name: "{{ k8s_s3_private_bucket }}" | ||
state: present | ||
versioning: yes | ||
region: "{{ k8s_s3_region }}" | ||
encryption: AES256 | ||
|
||
# Not available via Ansible module as of 7/2020 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Bummer :( I've subscribed to the relevant github issue... |
||
- name: "block all public access to {{ k8s_s3_private_bucket }}" | ||
command: | ||
argv: | ||
- aws | ||
- s3api | ||
- put-public-access-block | ||
- --bucket | ||
- "{{ k8s_s3_private_bucket }}" | ||
- --public-access-block-configuration | ||
- BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true | ||
|
||
# | ||
# IAM OIDC identity provider and issuer | ||
# | ||
|
||
# https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | ||
# Possibly replace in future with (to remove eksctl requirement): | ||
# 1. https://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html | ||
# 2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html | ||
- name: create an IAM OIDC identity provider for the cluster | ||
command: "eksctl utils associate-iam-oidc-provider --cluster {{ k8s_s3_cluster_name }} --approve" | ||
register: associate_response | ||
changed_when: "'created' in associate_response.stdout" | ||
|
||
# Not available via Ansible module as of 7/2020 | ||
- name: describe cluster to obtain OIDC issuer | ||
command: "aws eks describe-cluster --region {{ k8s_s3_region }} --name {{ k8s_s3_cluster_name }} --output json" | ||
changed_when: false | ||
register: cluster_query | ||
|
||
- name: parse OIDC issuer from response | ||
set_fact: | ||
oidc_issuer: "{{ cluster_query.stdout | from_json | json_query('cluster.identity.oidc.issuer') | regex_replace('https://') }}" | ||
|
||
# | ||
# AWS Account ID | ||
# | ||
|
||
- name: get the current caller identity information | ||
aws_caller_info: | ||
register: caller_info | ||
|
||
- name: parse AWS account ID | ||
set_fact: | ||
aws_account_id: "{{ caller_info.account }}" | ||
|
||
# | ||
# IAM Role | ||
# | ||
|
||
# https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html | ||
- name: Create IAM role for K8s service account | ||
iam_role: | ||
name: "{{ k8s_s3_iam_role }}" | ||
assume_role_policy_document: "{{ lookup('template', 's3/TrustPolicy.json.j2') }}" | ||
description: IAM role for K8s service account | ||
|
||
- name: Attach inline policy to user | ||
iam_policy: | ||
iam_type: role | ||
iam_name: "{{ k8s_s3_iam_role }}" | ||
policy_name: "EKSBucketPolicy" | ||
state: present | ||
policy_json: "{{ lookup( 'template', 's3/AssetManagementPolicy.json.j2') }}" | ||
|
||
# | ||
# Service Account | ||
# | ||
|
||
# https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html | ||
- name: "Associate IAM role with the service account in your cluster" | ||
k8s: | ||
state: present | ||
definition: | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: "{{ k8s_s3_serviceaccount }}" | ||
namespace: "{{ k8s_s3_namespace }}" | ||
annotations: | ||
eks.amazonaws.com/role-arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ k8s_s3_iam_role }}" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:ListBucket" | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::{{ k8s_s3_public_bucket }}", | ||
"arn:aws:s3:::{{ k8s_s3_private_bucket }}", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure how strict these have to be but JSON doesn't allow trailing commas. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done! |
||
] | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:*" | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::{{ k8s_s3_public_bucket }}/*", | ||
"arn:aws:s3:::{{ k8s_s3_private_bucket }}/*" | ||
] | ||
} | ||
] | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": "arn:aws:iam::{{ aws_account_id }}:oidc-provider/{{ oidc_issuer }}" | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringEquals": { | ||
"{{ oidc_issuer }}:sub": "system:serviceaccount:{{ k8s_s3_namespace }}:{{ k8s_s3_serviceaccount }}" | ||
} | ||
} | ||
} | ||
] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe just say "web applications" because of #26 :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!