mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
54 lines
3.6 KiB
Plaintext
54 lines
3.6 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
[id="assuming-an-aws-iam-role-for-a-service-account"]
|
|
= Assuming an AWS IAM role for a service account
|
|
include::_attributes/common-attributes.adoc[]
|
|
ifdef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
|
|
include::_attributes/attributes-openshift-dedicated.adoc[]
|
|
endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
|
|
:context: assuming-an-aws-iam-role-for-a-service-account
|
|
|
|
toc::[]
|
|
|
|
[role="_abstract"]
|
|
ifdef::openshift-rosa,openshift-rosa-hcp[]
|
|
In {product-title} clusters that use the AWS Security Token Service (STS), the OpenShift API server can be enabled to project signed service account tokens that can be used to assume an AWS Identity and Access Management (IAM) role in a pod. If the assumed IAM role has the required AWS permissions, the pods can authenticate against the AWS API using temporary STS credentials to perform AWS operations.
|
|
endif::openshift-rosa,openshift-rosa-hcp[]
|
|
|
|
You can use the pod identity webhook to project service account tokens to assume an AWS Identity and Access Management (IAM) role for your own workloads. If the assumed IAM role has the required AWS permissions, the pods can run AWS SDK operations by using temporary STS credentials.
|
|
|
|
include::modules/how-service-accounts-assume-aws-iam-roles-in-sre-owned-projects.adoc[leveloffset=+1]
|
|
|
|
include::modules/understanding-pod-identity-webhook-workflow-in-user-defined-projects.adoc[leveloffset=+1]
|
|
|
|
include::modules/assuming-an-aws-iam-role-in-your-own-pods.adoc[leveloffset=+1]
|
|
|
|
include::modules/setting-up-an-aws-iam-role-a-service-account.adoc[leveloffset=+2]
|
|
|
|
include::modules/creating-a-service-account-in-your-project.adoc[leveloffset=+2]
|
|
|
|
include::modules/creating-an-example-aws-sdk-container-image.adoc[leveloffset=+2]
|
|
|
|
include::modules/deploying-a-pod-that-includes-an-aws-sdk.adoc[leveloffset=+2]
|
|
|
|
include::modules/verifying-the-assumed-iam-role-in-your-pod.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
[id="additional-resources_configuring-alert-notifications"]
|
|
== Additional resources
|
|
|
|
* For more information about using AWS IAM roles with service accounts, see link:https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html[IAM roles for service accounts] in the AWS documentation.
|
|
|
|
* For information about AWS IAM role delegation, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html[Creating a role to delegate permissions to an AWS service] in the AWS documentation.
|
|
|
|
* For details about AWS SDKs, see link:https://docs.aws.amazon.com/sdkref/latest/guide/overview.html[AWS SDKs and Tools Reference Guide] in the AWS documentation.
|
|
|
|
* For more information about installing and using the AWS Boto3 SDK for Python, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation].
|
|
|
|
ifdef::openshift-rosa,openshift-dedicated[]
|
|
* For general information about webhook admission plugins for OpenShift, see
|
|
xref:../architecture/admission-plug-ins.adoc#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] in the {product-title} documentation.
|
|
endif::openshift-rosa,openshift-dedicated[]
|
|
//Had to hardcode link due to Architecture book not currently in the ROSA HCP topic map. Once that is added, can then link to xref.
|
|
ifdef::openshift-rosa-hcp[]
|
|
* For general information about webhook admission plugins for OpenShift, see link:https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/architecture/admission-plug-ins#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] in the {product-title} documentation.
|
|
endif::openshift-rosa-hcp[] |