chore(ansible): improve notes for awx setup on eks

2026-02-09 05:44:23 +00:00 · 2024-08-07 22:27:31 +02:00
parent bfe510f1ed
commit f466fca3e6
7 changed files with 241 additions and 5 deletions
--- a/computing/aws/README.md
+++ b/computing/aws/README.md
@@ -16,6 +16,8 @@
 1. [Resource constraints](#resource-constraints)
 1. [Access control](#access-control)
   1. [IAM policies](#iam-policies)
+   1. [Assume Roles](#assume-roles)
+      1. [Require MFA for assuming Roles](#require-mfa-for-assuming-roles)
 1. [Further readings](#further-readings)
   1. [Sources](#sources)

@@ -311,6 +313,94 @@ Examples:

 </details>

+### Assume Roles
+
+Refer [Introduction to AWS IAM AssumeRole].
+
+Users, Roles and Services can assume Roles as long as:
+
+1. The User, Role or Service that is trying to assume the end Role has assigned policies that would allow them to.
+
+   ```json
+   {
+       "Version": "2012-10-17",
+       "Statement": [
+           {
+               "Sid": "AllowMeToAssumeThoseRoles",
+               "Effect": "Allow",
+               "Action": "sts:AssumeRole",
+               "Resource": [
+                   "arn:aws:iam::012345678901:role/EksAdminRole",
+                   "arn:aws:iam::987654321098:role/EcsAuditorRole"
+               ]
+           }
+       ]
+   }
+   ```
+
+1. The **end** Role's Trust Relationships allow the entity in the point above to assume it.
+
+   ```json
+   {
+       "Version": "2012-10-17",
+       "Statement": [
+           …,
+           {
+               "Effect": "Allow",
+               "Principal": {
+                   "AWS": "arn:aws:iam::012345678901:user/halJordan"
+               },
+               "Action": "sts:AssumeRole"
+           }
+       ]
+   }
+   ```
+
+Allowed entities can assume Roles using the [STS AssumeRole API][assumerole api reference]:
+
+```sh
+aws sts assume-role --output 'yaml' \
+  --role-arn "arn:aws:iam::012345678901:role/EksAdminRole" \
+  --role-session-name "lookAt-halJordan-sheIsThe-EksAdminRole-now"
+```
+
+```yaml
+AssumedRoleUser:
+  Arn: arn:aws:sts::012345678901:assumed-role/EksAdminRole/AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
+  AssumedRoleId: AROA2HKHF0123456789OA:AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
+Credentials:
+  AccessKeyId: ASIA2HKHF012345ABCDE
+  Expiration: '2024-08-06T10:29:15+00:00'
+  SecretAccessKey: C2SGbkwmfHWzf44DX6IQQirg5XCGwpLX0Ai++Qkq
+  SessionToken: IQoJb3jPZ2luX2VjEAIaCWV1LXdlc3QtMSJHMEUCIQCGEihh9rBi1cL8ebhQVdcKl8Svzm5VCIC/ebCdxpORiA…
+```
+
+#### Require MFA for assuming Roles
+
+Add the `"Bool": {"aws:MultiFactorAuthPresent": true}` condition to the Role's trust relationships:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "AWS": "arn:aws:iam::012345678901:user/halJordan"
+        },
+        "Action": "sts:AssumeRole",
+        "Condition": {
+            "Bool": {
+                "aws:MultiFactorAuthPresent": true
+            }
+        }
+    }]
+}
+```
+
+When requiring MFA with AssumeRole, identities need to pass values for the SerialNumber and TokenCode parameters.<br/>
+SerialNumbers identify the users' hardware or virtual MFA devices, TokenCodes are the time-based one-time password
+(TOTP) value that devices produce.
+
 ## Further readings

 - [EC2]
--- a/computing/aws/eks.md
+++ b/computing/aws/eks.md
@@ -101,6 +101,9 @@ aws eks associate-access-policy --cluster-name 'DeepThought' \
 # Connect to clusters.
 aws eks update-kubeconfig --name 'DeepThought' && kubectl cluster-info
 aws eks --region 'eu-west-1' update-kubeconfig --name 'DeepThought' --profile 'dev-user' && kubectl cluster-info
+aws eks update-kubeconfig \
+  --region 'eu-west-1' --name 'DeepThought' --role-arn 'arn:aws:iam::012345678901:role/AssumedRole' \
+&& kubectl cluster-info


 # Create EC2 node groups.
@@ -130,11 +133,17 @@ aws eks describe-addon-configuration --addon-name 'aws-ebs-csi-driver' --addon-v

 </details>

-<!-- Uncomment if needed
 <details>
  <summary>Real world use cases</summary>
+
+```sh
+# Connect to clusters.
+aws eks --region 'eu-west-1' update-kubeconfig --name 'DeepThought'
+aws eks … update-kubeconfig --name 'DeepThought' --profile 'dev-user'
+aws eks … update-kubeconfig --name 'DeepThought' --role-arn 'arn:aws:iam::012345678901:role/EksAdminRole'
+```
+
 </details>
-->

 ## Requirements

@@ -1089,7 +1098,7 @@ Requirements:
  Specifically, subnets must have the specific, appropriate tags.<br/>
  Those are actively looked for by the controller, and will miserably fail if they are not present.

-Procedure:
+Installation:

 1. Create a IAM policy using the `/docs/install/iam_policy.json` file in the
   [controller's repository][aws load balancer controller repository].
@@ -1125,6 +1134,9 @@ Procedure:

   </details>

+Ingresses annotations will configure the load balancers they create.<br/>
+Refer [Ingress annotations][aws load balancer controller ingress annotations] for the full list.
+
 ### EBS CSI driver

 #### EBS CSI driver as aws-managed add-on
@@ -1432,6 +1444,7 @@ helm upgrade -i --repo 'https://aws.github.io/eks-charts' \

 <!-- Others -->
 [amazon elastic block store (ebs) csi driver]: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/README.md
+[aws load balancer controller ingress annotations]: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md
 [aws load balancer controller repository]: https://github.com/kubernetes-sigs/aws-load-balancer-controller
 [enable ebs gp3 for eks by default]: https://geko.cloud/en/aws-enable-ebs-gp3-for-eks-by-default/
 [external-snapshotter]: https://github.com/kubernetes-csi/external-snapshotter