openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
cd8bbd6a35437793ea8230c633ee933baa430e89
openshift-docs/modules/preparing-aws-credentials-for-oadp.adoc
dfitzmau 8d3485f849 OSDOCS-17072-batch6
2025-11-17 10:59:11 +00:00

212 lines
5.7 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * backup_and_restore/application_backup_and_restore/oadp-rosa/oadp-rosa-backing-up-applications.adoc
// * backup_and_restore/application_backup_and_restore/installing-oadp-rosa.adoc
:_mod-docs-content-type: PROCEDURE
[id="preparing-aws-credentials-for-oadp_{context}"]
= Preparing AWS credentials for OADP
[role="_abstract"]
An {aws-full} account must be prepared and configured to accept an {oadp-first} installation.
.Procedure
. Create the following environment variables by running the following commands:
+
[IMPORTANT]
====
Change the cluster name to match your cluster, and ensure you are logged into the cluster as an administrator. Ensure that all fields are outputted correctly before continuing.
====
+
[source,terminal]
----
$ export CLUSTER_NAME=my-cluster
----
+
--
* `my-cluster`: Replace `my-cluster` with your cluster name.
--
+
[source,terminal]
----
$ export ROSA_CLUSTER_ID=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id)
----
+
[source,terminal]
----
$ export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id)
----
+
[source,terminal]
----
$ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||')
----
+
[source,terminal]
----
$ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
----
+
[source,terminal]
----
$ export CLUSTER_VERSION=$(rosa describe cluster -c ${CLUSTER_NAME} -o json | jq -r .version.raw_id | cut -f -2 -d '.')
----
+
[source,terminal]
----
$ export ROLE_NAME="${CLUSTER_NAME}-openshift-oadp-aws-cloud-credentials"
----
+
[source,terminal]
----
$ export SCRATCH="/tmp/${CLUSTER_NAME}/oadp"
----
+
[source,terminal]
----
$ mkdir -p ${SCRATCH}
----
+
[source,terminal]
----
$ echo "Cluster ID: ${ROSA_CLUSTER_ID}, Region: ${REGION}, OIDC Endpoint:
${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
----
. On the {aws-short} account, create an IAM policy to allow access to {aws-short} S3:
+
.. Check to see if the policy exists by running the following command:
+
[source,terminal]
----
$ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaOadpVer1'].{ARN:Arn}" --output text)
----
+
--
* `RosaOadp`: Replace `RosaOadp` with your policy name.
--
+
.. Enter the following command to create the policy JSON file and then create the policy:
+
[NOTE]
====
If the policy ARN is not found, the command creates the policy. If the policy ARN already exists, the `if` statement intentionally skips the policy creation.
====
+
[source,terminal]
----
$ if [[ -z "${POLICY_ARN}" ]]; then
cat << EOF > ${SCRATCH}/policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
}
]}
EOF
POLICY_ARN=$(aws iam create-policy --policy-name "RosaOadpVer1" \
--policy-document file:///${SCRATCH}/policy.json --query Policy.Arn \
--tags Key=rosa_openshift_version,Value=${CLUSTER_VERSION} Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-oadp Key=operator_name,Value=openshift-oadp \
--output text)
fi
----
+
--
* `SCRATCH`: `SCRATCH` is a name for a temporary directory created for the environment variables.
--
+
.. View the policy ARN by running the following command:
+
[source,terminal]
----
$ echo ${POLICY_ARN}
----
. Create an IAM role trust policy for the cluster:
+
.. Create the trust policy file by running the following command:
+
[source,terminal]
----
$ cat <<EOF > ${SCRATCH}/trust-policy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_ENDPOINT}:sub": [
"system:serviceaccount:openshift-adp:openshift-adp-controller-manager",
"system:serviceaccount:openshift-adp:velero"]
}
}
}]
}
EOF
----
+
.. Create the role by running the following command:
+
[source,terminal]
----
$ ROLE_ARN=$(aws iam create-role --role-name \
"${ROLE_NAME}" \
--assume-role-policy-document file://${SCRATCH}/trust-policy.json \
--tags Key=rosa_cluster_id,Value=${ROSA_CLUSTER_ID} \
Key=rosa_openshift_version,Value=${CLUSTER_VERSION} \
Key=rosa_role_prefix,Value=ManagedOpenShift \
Key=operator_namespace,Value=openshift-adp \
Key=operator_name,Value=openshift-oadp \
--query Role.Arn --output text)
----
+
.. View the role ARN by running the following command:
+
[source,terminal]
----
$ echo ${ROLE_ARN}
----
. Attach the IAM policy to the IAM role by running the following command:
+
[source,terminal]
----
$ aws iam attach-role-policy --role-name "${ROLE_NAME}" \
--policy-arn ${POLICY_ARN}
----
View Git Blame Copy Permalink