mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
172 lines
5.1 KiB
Plaintext
172 lines
5.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * rosa_backing_up_and_restoring_applications/backing-up-applications.adoc
|
|
|
|
:_content-type: PROCEDURE
|
|
[id="oadp-preparing-aws-credentials_{context}"]
|
|
= Preparing AWS credentials
|
|
|
|
An AWS account must be ready to accept an OADP installation.
|
|
|
|
.Procedure
|
|
. Create the following environment variables by running the following commands:
|
|
+
|
|
[NOTE]
|
|
====
|
|
Change the cluster name to match your ROSA cluster, and ensure you are logged into the cluster as an administrator. Ensure that all fields are outputted correctly before continuing.
|
|
====
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ export CLUSTER_NAME=my-cluster <1>
|
|
export ROSA_CLUSTER_ID=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id)
|
|
export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id)
|
|
export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||')
|
|
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
|
|
export CLUSTER_VERSION=$(rosa describe cluster -c ${CLUSTER_NAME} -o json | jq -r .version.raw_id | cut -f -2 -d '.')
|
|
export ROLE_NAME="${CLUSTER_NAME}-openshift-oadp-aws-cloud-credentials"
|
|
export SCRATCH="/tmp/${CLUSTER_NAME}/oadp"
|
|
mkdir -p ${SCRATCH}
|
|
echo "Cluster ID: ${ROSA_CLUSTER_ID}, Region: ${REGION}, OIDC Endpoint:
|
|
${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
|
|
----
|
|
+
|
|
<1> Replace `my-cluster` with your ROSA cluster name.
|
|
|
|
. On the AWS account, create an IAM policy to allow access to S3.
|
|
|
|
.. Check to see if the policy exists by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaOadpVer1'].{ARN:Arn}" --output text) <1>
|
|
----
|
|
+
|
|
<1> Replace `RosaOadp` with your policy name.
|
|
|
|
.. Use the following command to create the policy JSON file and then create the policy in ROSA.
|
|
+
|
|
[NOTE]
|
|
====
|
|
If the policy ARN is not found, the command will create the policy. If the policy ARN already exists, the `if` statement will intentionally skip the policy creation.
|
|
====
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ if [[ -z "${POLICY_ARN}" ]]; then
|
|
cat << EOF > ${SCRATCH}/policy.json <1>
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:CreateBucket",
|
|
"s3:DeleteBucket",
|
|
"s3:PutBucketTagging",
|
|
"s3:GetBucketTagging",
|
|
"s3:PutEncryptionConfiguration",
|
|
"s3:GetEncryptionConfiguration",
|
|
"s3:PutLifecycleConfiguration",
|
|
"s3:GetLifecycleConfiguration",
|
|
"s3:GetBucketLocation",
|
|
"s3:ListBucket",
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject",
|
|
"s3:ListBucketMultipartUploads",
|
|
"s3:AbortMultipartUploads",
|
|
"s3:ListMultipartUploadParts",
|
|
"s3:DescribeSnapshots",
|
|
"ec2:DescribeVolumes",
|
|
"ec2:DescribeVolumeAttribute",
|
|
"ec2:DescribeVolumesModifications",
|
|
"ec2:DescribeVolumeStatus",
|
|
"ec2:CreateTags",
|
|
"ec2:CreateVolume",
|
|
"ec2:CreateSnapshot",
|
|
"ec2:DeleteSnapshot"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]}
|
|
EOF
|
|
|
|
POLICY_ARN=$(aws iam create-policy --policy-name "RosaOadpVer1" \
|
|
--policy-document file:///${SCRATCH}/policy.json --query Policy.Arn \
|
|
--tags Key=rosa_openshift_version,Value=${CLUSTER_VERSION} Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-oadp Key=operator_name,Value=openshift-oadp \
|
|
--output text)
|
|
fi
|
|
----
|
|
+
|
|
<1> `SCRATCH` is a name for a temporary directory created for the environment variables.
|
|
|
|
.. View the policy ARN by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ echo ${POLICY_ARN}
|
|
----
|
|
|
|
|
|
. Create an IAM role trust policy for the cluster:
|
|
|
|
.. Create the trust policy file by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF > ${SCRATCH}/trust-policy.json
|
|
{
|
|
"Version":2012-10-17",
|
|
"Statement": [{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"${OIDC_ENDPOINT}:sub": [
|
|
"system:serviceaccount:openshift-adp:openshift-adp-controller-manager",
|
|
"system:serviceaccount:openshift-adp:velero"]
|
|
}
|
|
}
|
|
}]
|
|
}
|
|
EOF
|
|
----
|
|
|
|
.. Create the role by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ROLE_ARN=$(aws iam create-role --role-name \
|
|
"${ROLE_NAME}" \
|
|
--assume-role-policy-document file://${SCRATCH}/trust-policy.json \
|
|
--tags Key=rosa_cluster_id,Value=${ROSA_CLUSTER_ID}
|
|
Key=rosa_openshift_version,Value=${CLUSTER_VERSION}
|
|
Key=rosa_role_prefix,Value=ManagedOpenShift
|
|
Key=operator_namespace,Value=openshift-adp
|
|
Key=operator_name,Value=openshift-oadp \
|
|
--query Role.Arn --output text)
|
|
----
|
|
|
|
.. View the role ARN by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ echo ${ROLE_ARN}
|
|
----
|
|
|
|
. Attach the IAM policy to the IAM role by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam attach-role-policy --role-name "${ROLE_NAME}" \
|
|
--policy-arn ${POLICY_ARN}
|
|
----
|
|
|
|
.Next steps
|
|
|
|
* Continue to _Installing the OADP Operator and providing the IAM role_.
|