# Installing a connector on EKS using CloudFormation

Apono integrates seamlessly with AWS, using AWS CloudFormation to automate the deployment of all the necessary configurations:

* **Cross-account IAM role** with read permissions
* **Amazon SNS topic** for event notifications
* **Apono connector**, which runs on AWS EKS

Once installed, the connector syncs data from cloud applications and enables you to manage access permissions through access flows within Amazon EKS.

***

### Prerequisite

<table><thead><tr><th width="193.8984375">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>AdminstratorAccess Role</strong></td><td><p>AWS role with <a href="https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html">AdministratorAccess</a> providing full access to AWS services and resources, required for installing the connector</p><p><strong>Full AWS access is not granted to Apono</strong>.</p></td></tr></tbody></table>

***

### Install a connector

Follow these steps to install the connector:

1. On the [**Catalog**](https://app.apono.io/catalog?search=aws) tab, click **AWS**. The **Connect Integrations Group** page appears.
2. Under **Discovery**, click **Amazon Account or Amazon Organization**.
3. Click one or more resource types to sync with Apono.

{% hint style="info" %}
Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage **Access Flows** to these resources.
{% endhint %}

4. Click **Next**. The **Apono connector** section expands.
5. From the **Select Connector** dropdown menu, click **+ Add new connector**. The **Select connector installation strategy** section appears.
6. Click **Cloud installation** > **CloudFormation + Helm (EKS).**
7. Open the [**CloudFormation**](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?templateURL=https://apono-public.s3.amazonaws.com/cloudformation/aws_eks_connector_role.yml) **s**tac&#x6B;**.** The **Create stack** page appears.

{% hint style="info" %}
If you are not already signed in, AWS will prompt you to enter your AWS user account.
{% endhint %}

8. Define the following **Parameters**:
   * **EKSClusterName**: Name of the EKS cluster where the Apono connector will be deployed.
   * **EKSIamMode**: Authentication mode used by the EKS connector. Possible values include IRSA (IAM Roles for Service Accounts) or Pod Identity.
   * (Optional) **EKSNamespace**: Kubernetes namespace in your EKS cluster where the Apono connector service account resides. Defaults to `apono-connector` if not specified.
   * (Optional) **EKSServiceAccountName**: Name of the Kubernetes service account associated with the Apono connector in the EKS cluster. Defaults to `apono-connector` if not specified.
9. Under **Capabilities**, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**.
10. Click **Create stack**.
11. On the **Outputs** tab, copy the **Value** for the **ConnectorRoleArnOutput**. This value will be used to deploy the connector.
12. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been deployed.

Now that you have installed the connector for your Account, you must [deploy](#deploy-the-eks-connector) the connector.

***

### Deploy the EKS connector

After installation, the connector must be deployed on your EKS cluster using the Apono Helm chart. You can choose between IRSA or Pod Identity authentication modes, depending on the value you defined for **EKSIamMode** when [installing the connector](#install-a-connector) (step **8**).

{% tabs %}
{% tab title="IRSA" %}
If using IRSA (IAM Roles for Service Accounts), use the Helm chart below to deploy the connector.

{% code overflow="wrap" %}

```
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
  --set-string apono.token=[APONO_TOKEN] \
  --set-string apono.connectorId=[CONNECTOR_ID] \
  --set serviceAccount.manageClusterRoles=[true/false] \
  --set-string serviceAccount.awsRoleArn=[CONNECTOR_ROLE_ARN_OUTPUT] \
  --namespace apono-connector \
  --create-namespace
```

{% endcode %}

<table><thead><tr><th width="180.53125">Parameter</th><th>Description</th></tr></thead><tbody><tr><td><strong>apono.token</strong> string</td><td>Unique token provided by Apono used to authenticate the connector with the Apono platform<br><br>Learn how to <a href="../../architecture-and-security/personal-api-tokens">create a token</a>.</td></tr><tr><td><strong>apono.connectorId</strong> string</td><td><p>Unique identifier associated with your Apono account</p><p>This ID links the Helm deployment to the configured connector.</p></td></tr><tr><td><strong>serviceAccount.manageClusterRoles</strong> boolean</td><td>A true/false flag that determines whether the connector is allowed to manage access for the Kubernetes cluster.</td></tr><tr><td><strong>serviceAccount.awsRoleArn</strong> string</td><td>ARN of the IAM role created through CloudFormation, which the connector’s service account uses to access AWS resources securely</td></tr></tbody></table>
{% endtab %}

{% tab title="Pod Identity" %}
If using Pod Identity, use the Helm chart below to deploy the connector.

{% code overflow="wrap" %}

```
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
  --set-string apono.token=[APONO_TOKEN] \
  --set-string apono.connectorId=[CONNECTOR_ID] \
  --set serviceAccount.manageClusterRoles=[true/false] \
  --namespace apono-connector \
  --create-namespace
```

{% endcode %}

<table><thead><tr><th width="180.375">Parameters</th><th>Description</th></tr></thead><tbody><tr><td><strong>apono.token</strong> string</td><td>Unique token provided by Apono used to authenticate the connector with the Apono platform<br><br>Learn how to <a href="../../architecture-and-security/personal-api-tokens">create a token</a>.</td></tr><tr><td><strong>apono.connectorId</strong> string</td><td><p>Unique identifier associated with your Apono account</p><p>This ID links the Helm deployment to the configured connector.</p></td></tr><tr><td><strong>serviceAccount.manageClusterRoles</strong> boolean</td><td>True/false flag that determines whether the Helm chart should create the necessary Kubernetes cluster roles and role bindings automatically</td></tr></tbody></table>
{% endtab %}
{% endtabs %}

After deployment, you can now manage access to your **AWS Account** from Apono.

{% hint style="info" %}
If you choose to integrate with the **AWS organization**, continue to [Deploy Organization roles using CloudFormation](#deploy-organization-roles-using-cloudformation) to allow an AWS Account to assume IAM role permissions to manage access across all AWS Organization accounts.
{% endhint %}

***

### Deploy Organization roles using CloudFormation

Using IAM role permissions, you can enable the Apono connector to manage an entire AWS Organization. Deploying Organization roles is **optional**.

Follow these steps to deploy your Organization roles:

1. Log in to the management account for your AWS Organization.
2. Open the IAM Identity Center in your AWS organization.
3. Select the relevant AWS account on the left menu.
4. Copy the organizational ID.
5. In [CloudFormation](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?templateURL=https://apono-public.s3.amazonaws.com/cloudformation/aws_organization_roles_only_integration_template.yml), open the **Quick create stack** page.
6. Under **Parameters**, enter values for the following fields:
   1. **AponoConnectorId**: Copied from the [Helm installation](#deploy-the-eks-connector).
   2. **ConnectorRoleArn**: Value copied from step **11** of [Install a connector](#install-a-connector).
   3. **OrganizationalUnitId**: Organizational Unit ID obtained in step **4**.
7. Click **Create stack**.
8. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been deployed.

After installation, you can now manage access across your AWS Organization from Apono.