mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 09:46:53 +01:00
75 lines
2.6 KiB
Plaintext
75 lines
2.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/installing-albo-sts-cluster.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="using-aws-cli-create-iam-role-alb-operator_{context}"]
|
|
= Creating an AWS IAM role by using the Cloud Credential Operator utility
|
|
|
|
You can use the AWS Command Line Interface to create an IAM role for the AWS Load Balancer Operator. The IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
|
|
|
|
.Prerequisites
|
|
|
|
* You must have access to the AWS Command Line Interface (`aws`).
|
|
|
|
.Procedure
|
|
|
|
. Generate a trust policy file by using your identity provider by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF > albo-operator-trust-policy.json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" <1>
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" <2>
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
----
|
|
<1> Specifies the Amazon Resource Name (ARN) of the identity provider.
|
|
<2> Specifies the service account for the AWS Load Balancer Operator.
|
|
|
|
. Create the IAM role with the generated trust policy by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
ROLE arn:aws:iam::777777777777:role/albo-operator 2023-08-02T12:13:22Z <1>
|
|
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
|
|
STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
|
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager
|
|
PRINCIPAL arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
|
|
----
|
|
<1> Note the ARN of the created IAM role.
|
|
|
|
. Download the permission policy for the AWS Load Balancer Operator by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
|
|
----
|
|
|
|
. Attach the permission policy for the AWS Load Balancer Controller to the IAM role by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
|
|
----
|