Creating an AWS role using a script
You need to create a role and pass the role Amazon resource name (ARN) while installing the {product-name-short} operator.
Before you begin
Procedure
Create an AWS role using a script that matches OpenID Connect (OIDC) configuration for
Multicloud Object Gateway (MCG) on OpenShift Data Foundation. The following example shows the
details that are required to create the role:
{
“Version”: “2012-10-17",
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Federated”: “arn:aws:iam::123456789123:oidc-provider/mybucket-oidc.s3.us-east-2.amazonaws.com”
},
“Action”: “sts:AssumeRoleWithWebIdentity”,
“Condition”: {
“StringEquals”: {
“mybucket-oidc.s3.us-east-2.amazonaws.com:sub”: [
“system:serviceaccount:openshift-storage:noobaa”,
“system:serviceaccount:openshift-storage:noobaa-endpoint”
]
}
}
}
]
}
where
-
123456789123
-
Is the AWS account ID
-
mybucket
-
Is the bucket name (using public bucket configuration)
-
us-east-2
-
Is the AWS region
-
openshift-storage
-
Is the namespace name
Sample script
#!/bin/bash set -x # This is a sample script to help you deploy MCG on AWS STS cluster. # This script shows how to create role-policy and then create the role in AWS. # For more information see: https://docs.openshift.com/rosa/authentication/assuming-an-aws-iam-role-for-a-service-account.html # WARNING: This is a sample script. You need to adjust the variables based on your requirement. # Variables : # user variables - REPLACE these variables with your values: ROLE_NAME="<role-name>" # role name that you pick in your AWS account NAMESPACE="<namespace>" # namespace name where MCG is running. For OpenShift Data Foundation, it is openshift-storage. # MCG variables SERVICE_ACCOUNT_NAME_1="<service-account-name-1>" # The service account name of statefulset core and deployment operator (MCG operator) SERVICE_ACCOUNT_NAME_2="<service-account-name-2>" # The service account name of deployment endpoint (MCG endpoint) # AWS variables # Make sure these values are not empty (AWS_ACCOUNT_ID, OIDC_PROVIDER) # AWS_ACCOUNT_ID is your AWS account number AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) # If you want to create the role before using the cluster, replace this field too. # The OIDC provider is in the structure: # 1) <OIDC-bucket>.s3.<aws-region>.amazonaws.com. for OIDC bucket configurations are in an S3 public bucket # 2) `<characters>.cloudfront.net` for OIDC bucket configurations in an S3 private bucket with a public CloudFront distribution URL OIDC_PROVIDER=$(oc get authentication cluster -ojson | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///") # the permission (S3 full access) POLICY_ARN_STRINGS="arn:aws:iam::aws:policy/AmazonS3FullAccess" # Creating the role (with AWS command line interface) read -r -d '' TRUST_RELATIONSHIP <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OIDC_PROVIDER}:sub": [ "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_1}", "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_2}" ] } } } ] } EOF echo "${TRUST_RELATIONSHIP}" > trust.json aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://trust.json --description "role for demo" while IFS= read -r POLICY_ARN; do echo -n "Attaching $POLICY_ARN ... " aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "${POLICY_ARN}" echo "ok." done <<< "$POLICY_ARN_STRINGS"