Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Configurations
  2. Passwordless Access for Amazon EKS

Configure the EKS Cluster with the AWS policy and IAM role

Before you configure the cluster and run the operator, you need to choose the EKS namespace

Before you configure the cluster and run the operator, you need to choose the EKS namespace and the EKS service account on which you want to apply the policy and run the secret rotator operator.

  1. Run the following command to export the namespace and service account name for use in the procedure.

    export NAMESPACE=<namespace where the passwordless access is to be configured>
export SERVICE_ACCOUNT_NAME=<service account where the passwordless access is to be configured>

  2. Run the following command to get the details of the OIDC provider in the EKS cluster

    oidc_provider=$(aws eks describe-cluster --name <EKS cluster name> --region <EKS region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

  3. Run the following command to get the details of the account ID in the EKS cluster

    account_id=$(aws sts get-caller-identity --query "Account" --output text)

  4. Create the trust-relationship.json file with the following structure. Enter the actual values of account id , OIDC provider, and service account in the JSON file, and not variable names.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account id>:oidc-provider/<OIDC provider>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
         "<OIDC provider>:aud": "sts.amazonaws.com",
          "<OIDC provider>:sub": "system:serviceaccount:<namespace>:<service account>"
        }
      }
    }
  ]
}

  5. Run the following command to create the IAM role.

    aws iam create-role --role-name <IAM role name> --assume-role-policy-document file://trust-relationship.json --description "my-role-description"  --max-session-duration <token expiration in seconds>

    The maximum value that you can set for max-session-duration is 14400 (12 hours).

  6. Create a policy JSON file that allows only GET Caller Identity.

    my-policy.json:
{
	"Version": "2012-10-17",
	"Statement": [
		{
               "Effect": "Allow",
		"Action": "sts:GetCallerIdentity",
		"Resource": "<ARN of the IAM role>"
 		},
              {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Action": ["iam:GetRole"],
        "Resource": ["<ARN of the IAM role>"]  
              }
	]
}

    Configure the resource names with the details of the IAM role that you created.

  7. Run the following command to create the AWS policy.

    aws iam create-policy --policy-name my-policy --policy-document file://my-policy.json

  8. Run the following command to attach the IAM role to the AWS policy.

    aws iam attach-role-policy --role-name <IAM role name> --policy-arn=arn:aws:iam::$account_id:policy/<policy name>

  9. In AWS, Create OpenID Connect (OIDC) identity providers in AWS.

    Enter the value of $oidc_provider as the Provider URL.

    oidc_provider=$(aws eks describe-cluster --name <EKS cluster name> --region <EKS region> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

    Enter sts.amazonaws.com as the Audience.

    Use the Get Thumbprint option when you create the OIDC identity provider.

Updated 2 days ago