Configuring AWS implicit authentication

Create a bucket and a trust policy to finish the configuration of AWS implicit authentication.

Before you begin

Ensure that you have created a Db2uInstance custom resource (CR) and edited your Service Account, following the steps in Setting up for AWS implicit authentication.

You will need your own values for these variables to complete the procedure:

• sa_of_db2u_deployment
• your_account_id
• oidc_provider_id
• namespace_of_db2u_deployment
• bucket_name
• aws_region

About this task

Once you have edited your Service Account, sa_of_db2u_deployment, follow these steps to configure implicit authentication:

1. Create an S3 bucket by running this command, replacing bucket_name and aws_region with your own values:

   aws s3api create-bucket --bucket <bucket_name> --region <aws_region> --create-bucket-configuration LocationConstraint=<aws_region>

2. Create a policy file locally on terminal and name it bucket-policy.json. This command will allow all users to access the bucket and perform the listed actions. Run this command to create the policy:

   aws iam create-policy --policy-name Db2uS3AccessPolicy --policy-document file://bucket-policy.json

3. Fill the policy file with the content from this code block:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket",
           "s3:GetObject",
           "s3:PutObject",
           "s3:GetObjectAcl",
           "s3:PutObjectAcl",
           "s3:DeleteObject",
           "s3:DeleteObjectVersion"
         ],
         "Resource": [
           "arn:aws:s3:::<bucket_name>",
           "arn:aws:s3:::<bucket_name>/*"
         ]
       }
     ]
   }

4. Create a trust-policy.json file. Run this command to create your file:

   aws iam create-role --role-name Db2uS3AccessRole --assume-role-policy-document file://trust-policy.json

5. In the file contents, replace your_account_id, oidc_provider_id,namespace_of_your_db2u_deployment and sa_of_db2u_deployment.Review this example of db2wh-mpp as a guide:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Federated": "arn:aws:iam::<your_account_id>:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/<oidc_provider_id>"
               },
               "Action": "sts:AssumeRoleWithWebIdentity",
               "Condition": {
                   "StringEquals": {
                       "oidc.eks.us-east-2.amazonaws.com/id/<oidc_provider_id>:sub": "system:serviceaccount:<namespace_of_db2u_deployment>:<sa_of_your_deployment>",
                       "oidc.eks.us-east-2.amazonaws.com/id/<oidc_provider_id>:aud": "sts.amazonaws.com"
                   }
               }
           }
       ]
   }

6. Attach the policy to the role:

   aws iam attach-role-policy --policy-arn arn:aws:iam::<your_account_id>:policy/Db2uS3AccessPolicy --role-name Db2uS3AccessRole

7. The following example shows the execution of the db2-cos-objects.sh script. For AWS EKS Db2U deployment when using AWS IAM Implicit Authentication, the only required parameter is the bucket_name:

   kubectl exec -it c-db2wh-mpp-db2u-0 /bin/bash
   su - db2inst1
   cd /db2u/scripts
   ./db2-cos-objects.sh run-all --bucket <bucket_name>

What to do next

Configuring AWS Role based authentication through storage access alias