From b9ea9381572275c54d3d5b51c005fb26797223cf Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Sun, 28 Mar 2021 12:59:54 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=80=20Move=20@soulshake's=20scripts=20?= =?UTF-8?q?and=20commands=20to=20prepare-eks=20directory?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bin/sa-can-read-s3.sh | 133 ------------------------------------ prepare-eks/70_oidc.sh | 46 +++++++++++++ prepare-eks/80_s3_bucket.sh | 43 ++++++++++++ 3 files changed, 89 insertions(+), 133 deletions(-) delete mode 100755 bin/sa-can-read-s3.sh create mode 100755 prepare-eks/70_oidc.sh create mode 100755 prepare-eks/80_s3_bucket.sh diff --git a/bin/sa-can-read-s3.sh b/bin/sa-can-read-s3.sh deleted file mode 100755 index 3f5b981d..00000000 --- a/bin/sa-can-read-s3.sh +++ /dev/null @@ -1,133 +0,0 @@ -#!/usr/bin/env bash -# I would like to demonstrate access to AWS resource (e.g. S3 bucket) from a pod. Idea: -# create a bucket, put two objects in it (one public, one private), then … I suppose I -# need to create a role with access to the private object, associate the role to a service -# account in k8s, find an image with the aws CLI (or some s3 client) in it … ? - -set -euo pipefail - -emit_describe_cluster_policy() { - # Not used right now, but this permission is required in order to run `aws eks update-kubeconfig`: - echo '{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "eks:DescribeCluster" - ], - "Resource": "'"arn:aws:eks:${REGION}:${ACCOUNT_ID}:cluster/${CLUSTER_NAME}"'", - "Effect": "Allow" - } - ] -}' -} - -create_describe_cluster_policy() { - aws iam create-policy \ - --policy-name ${DESCRIBE_CLUSTER_POLICY_NAME} \ - --description "Policy allowing to describe ${CLUSTER_NAME}" \ - --policy-document "$(emit_describe_cluster_policy)" - - # to attach: - # aws iam attach-user-policy --user-name "${user_name}" --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${DESCRIBE_CLUSTER_POLICY_NAME}" -} - -emit_service_account_role_trust_policy() { - local oidc_provider_arn key_prefix - oidc_provider_arn="$(aws iam list-open-id-connect-providers | jq -r '.OpenIDConnectProviderList[0].Arn')" - key_prefix="$(echo "${oidc_provider_arn}" | cut -f2- -d '/')" - - echo '{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "'"${oidc_provider_arn}"'" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "'"${key_prefix}:sub"'": "system:serviceaccount:default:default" - } - } - } - ] -}' -} - -associate_oidc_provider() { - local issuer_url - issuer_url="$(aws eks describe-cluster --name "${CLUSTER_NAME}" --query "cluster.identity.oidc.issuer" --output text)" - if ! aws iam list-open-id-connect-providers | grep "${issuer_url}"; then - eksctl utils associate-iam-oidc-provider --cluster "${CLUSTER_NAME}" --approve - else - echo "OIDC provider already associated" - fi -} - -create_role() { - if ! _="$(aws iam get-role --role-name "${ROLE_NAME}")"; then - aws iam create-role --role-name "${ROLE_NAME}" --description "Role for service account" --assume-role-policy-document "$(emit_service_account_role_trust_policy)" - else - echo "Role ${ROLE_NAME} already exists" - fi -} - -annotate_serviceaccount() { - kubectl annotate serviceaccounts default -n default "role-arn=arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}" --overwrite -} - -checkit() { - echo "Will try to read s3://"${BUCKET_NAME}"/top-sekret.txt" - kubectl run --image amazon/aws-cli --attach --restart=Never --rm --wait=true can-we-read-s3 -- s3 cp s3://"${BUCKET_NAME}"/top-sekret.txt - -} - -update_kubeconfig() { - aws eks update-kubeconfig --name "${CLUSTER_NAME}" -} - -teardown() { - # see also 'can-describe-cluster' policy, if created via create_describe_cluster_policy - aws iam detach-role-policy --policy-arn "${S3_POLICY_ARN}" --role-name "${ROLE_NAME}" - aws iam delete-role "${ROLE_NAME}" - # for username in users; do ... - # aws iam detach-user-policy --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${DESCRIBE_CLUSTER_POLICY_NAME}" --user-name "${username}" - aws iam delete-policy --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${DESCRIBE_CLUSTER_POLICY_NAME}" -} - -create_and_populate_bucket() { - if ! _="$(aws s3api get-bucket-acl --bucket "${BUCKET_NAME}")"; then - aws s3api create-bucket --region "${REGION}" --bucket "${BUCKET_NAME}" --create-bucket-configuration "LocationConstraint=${REGION}" - else - echo "Bucket ${BUCKET_NAME} already exists." - fi - f="$(mktemp)" - echo "THE UNICORN IS IN THE GARDEN!!" >"${f}" - aws s3api put-object --bucket "${BUCKET_NAME}" --key top-sekret.txt --body "${f}" -} - -ACCOUNT_ID="$(aws sts get-caller-identity | jq -r .Account)" -S3_POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess -CLUSTER_NAME=floral-mongoose-1616851817 -DESCRIBE_CLUSTER_POLICY_NAME=can-describe-cluster -ROLE_NAME=service-account-role -REGION=eu-north-1 -BUCKET_NAME=wooga-booga-pants -export KUBECONFIG=myconfig - -main() { - if [ -n "${1:-}" ]; then - echo "An argument was provided, running that: $1" - "${1}" - else - echo "ACCOUNT_ID: $ACCOUNT_ID" - associate_oidc_provider - create_role - aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn "${S3_POLICY_ARN}" - annotate_serviceaccount - checkit - fi -} - -main "$@" diff --git a/prepare-eks/70_oidc.sh b/prepare-eks/70_oidc.sh new file mode 100755 index 00000000..f50eac5b --- /dev/null +++ b/prepare-eks/70_oidc.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +# Note: if cluster was created without OIDC provider attached, +# you need to run the following command. It is idempotent. +#eksctl utils associate-iam-oidc-provider --cluster cluster-name-12341234 --approve + +if [ "$1" ]; then + CLUSTER="$1" +else + echo "Please indicate cluster to use. Available clusters:" + aws eks list-clusters --output table + exit 1 +fi + +ACCOUNT=$(aws sts get-caller-identity | jq -r .Account) +OIDC=$(aws eks describe-cluster --name $CLUSTER --query cluster.identity.oidc.issuer --output text | cut -d/ -f3-) +ROLE_NAME=s3-reader-container-training +TRUST_POLICY=$(envsubst <