Setting up an AWS IAM role for Red Hat OpenShift or Amazon EKS deployments

Connection to AWS through an IAM role is supported when a Turbonomic instance is deployed to a Kubernetes cluster in AWS through Red Hat OpenShift Service on AWS (ROSA) or Amazon EKS. For these deployments, cluster configurations must support an OIDC provider, webhooks, and role assumption through an annotated service account.

Important:

Turbonomic requires specific IAM identities depending on the AWS account that it can access. You may need to set up other IAM identities in addition to the one described in this topic. For guidance on the IAM identities that you need to set up, see this topic.

Setting up an AWS IAM role

  1. Follow the instructions provided by Red Hat OpenShift on AWS (ROSA) or Amazon Elastic Kubernetes Service (EKS) to make sure you have the required configurations to support the Web Identity provider method, leveraging the AWS webhook and an OIDC provider.

    Note:

    Follow the instructions from AWS in the previously provided links to set up your cluster's OIDC provider as an IAM Identity Provider (Web Identity Provider - OIDC URL) in the AWS account that you will be targeting.

  2. Configure a Kubernetes service account in the Turbonomic namespace that will assume an IAM role.

    • (Best Practice) Manually create a separate service account for the AWS Mediation pods to use. You must then modify the Custom Resource YAML to specify this service account to the AWS Mediation components. For example:

      spec:
        mediation-aws:
          serviceAccountName: t8c-iam-role
        mediation-awscloudbilling:
          serviceAccountName: t8c-iam-role
        mediation-awscost:
          serviceAccountName: t8c-iam-role

      After you update the Custom Resource YAML, apply the updated Custom Resource and ensure the three Mediation pods restarted.

    • Use the Turbonomic default service account with which the AWS Mediation pods are running.

      Note:

      Unless specified in the Turbonomic Custom Resource, the AWS Mediation pods will run with the default service account called "default" in the namespace. If you modify the default "default" account, there is nothing more to do except restart the AWS Mediation pods.

  3. Configure the IAM role in AWS.

    • Turbonomic AWS IAM role requirements, including cross account access if required, are described here. IAM policy definition must use the sts:AssumeRoleWithWebIdentity role.

    • Using the Web identity provider set up, and the service account you will use, update the Trust Relationships in the IAM role. See the instructions here.

    • The IAM role for Turbonomic to target your AWS account requires the following policies:

      AmazonRDSReadOnlyAccess
      AmazonEC2ReadOnlyAccess
      AmazonS3ReadOnlyAccess
      AWSOrganizationsReadOnlyAccess
  4. Annotate the service account you will use with the IAM role. See this article for an example.

    apiVersion: v1
    kind: ServiceAccount
    #use the name of the SA that will contain the annotation
    name: default
    metadata:
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>
  5. For the Kubernetes service account that will have the ability to assume a role, you have the following options:

    • Use the Turbonomic default service account that the AWS mediation pods run with.

      Note:

      In the namespace, the AWS mediation pods will run with the default service account called "default". If you modify this default service account, restart the AWS mediation pods.

    • Manually create a separate service account that will be used only by the AWS mediation pods. This is an AWS best practice. You will need to supply this service account to the Turbonomic deployment via the custom resource (CR).

      If you choose this option, modify the CR yaml to specify this service account to the AWS mediation components. See a the following sample YAML.

      spec:
        mediation-aws:
          env:
          - name: AWS_REGION
            value: US_EAST_1
          serviceAccountName: t8c-iam-role
        mediation-awscloudbilling:
          env:
          - name: AWS_REGION
            value: US_EAST_1
          serviceAccountName: t8c-iam-role
        mediation-awscost:
          env:
          - name: AWS_REGION
            value: US_EAST_1
          serviceAccountName: t8c-iam-role

Next step

In AWS, set up a data export for use with the AWS Billing target. For details, see this topic.