mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
92 lines
3.2 KiB
Plaintext
92 lines
3.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/installing-albo-sts-cluster.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="using-aws-cli-create-iam-role-alb-controller_{context}"]
|
|
= Creating an AWS IAM role for the controller by using the AWS CLI
|
|
|
|
You can use the AWS command line interface to create an AWS IAM role for the AWS Load Balancer Controller. An AWS IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
|
|
|
|
.Prerequisites
|
|
|
|
* You must have access to the AWS command line interface (`aws`).
|
|
|
|
.Procedure
|
|
|
|
. Generate a trust policy file using your identity provider by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF > albo-controller-trust-policy.json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" <1>
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" <2>
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
----
|
|
<1> Specifies the Amazon Resource Name (ARN) of the identity provider.
|
|
<2> Specifies the service account for the AWS Load Balancer Controller.
|
|
|
|
. Create an AWS IAM role with the generated trust policy by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trust-policy.json
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
ROLE arn:aws:iam::777777777777:role/albo-controller 2023-08-02T12:13:22Z <1>
|
|
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
|
|
STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
|
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster
|
|
PRINCIPAL arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
|
|
----
|
|
<1> Note the ARN of an AWS IAM role.
|
|
|
|
. Download the permission policy for the AWS Load Balancer Controller by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
|
|
----
|
|
|
|
. Attach the permission policy for the AWS Load Balancer Controller to an AWS IAM role by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
|
|
----
|
|
|
|
. Create a YAML file that defines the `AWSLoadBalancerController` object:
|
|
+
|
|
.Example `sample-aws-lb-manual-creds.yaml` file:
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.olm.openshift.io/v1
|
|
kind: AWSLoadBalancerController <1>
|
|
metadata:
|
|
name: cluster <2>
|
|
spec:
|
|
credentialsRequestConfig:
|
|
stsIAMRoleARN: <role-arn> <3>
|
|
----
|
|
<1> Defines the `AWSLoadBalancerController` object.
|
|
<2> Defines the AWS Load Balancer Controller name. All related resources use this instance name as a suffix.
|
|
<3> Specifies the ARN role. The `CredentialsRequest` object uses this ARN role to provision the AWS credentials.
|