mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
82 lines
3.1 KiB
Plaintext
82 lines
3.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/networking_operators/aws-load-balancer-operator/preparing-sts-cluster-for-albo.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="using-aws-cli-create-iam-role-alb-operator_{context}"]
|
|
= Creating an AWS IAM role by using the AWS CLI
|
|
|
|
[role="_abstract"]
|
|
To enable the {aws-short} Load Balancer Operator to interact with subnets and VPCs, create an {aws-short} IAM role by using the {aws-short} CLI. This enables the Operator to access and manage the necessary network resources within the cluster.
|
|
|
|
.Prerequisites
|
|
|
|
* You must have access to the {aws-short} Command Line Interface (`aws`).
|
|
|
|
.Procedure
|
|
|
|
. Generate a trust policy file by using your identity provider by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF > albo-operator-trust-policy.json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Federated": "<oidc_arn>"
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
`<oidc_arn>`:: Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
|
`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller. An example of `<cluster_oidc_endpoint>` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
|
|
|
. Create the IAM role with the generated trust policy by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trust-policy.json
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
ROLE arn:aws:iam::<aws_account_number>:role/albo-operator 2023-08-02T12:13:22Z <1>
|
|
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
|
|
STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
|
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager
|
|
PRINCIPAL arn:aws:iam:<aws_account_number>:oidc-provider/<cluster_oidc_endpoint>
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
`<aws_account_number>`:: Specifies the ARN of the created {aws-short} IAM role for the {aws-short} Load Balancer Operator, such as `arn:aws:iam::777777777777:role/albo-operator`.
|
|
|
|
. Download the permission policy for the {aws-short} Load Balancer Operator by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o albo-operator-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-permission-policy.json
|
|
----
|
|
|
|
. Attach the permission policy for the {aws-short} Load Balancer Controller to the IAM role by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-albo-operator --policy-document file://albo-operator-permission-policy.json
|
|
----
|