Installing a connector on EKS using CloudFormation

Installing a connector on Amazon Elastic Kubernetes Service (EKS) for AWS Account or Organization Management

Apono integrates seamlessly with AWS, using AWS CloudFormation to automate the deployment of all the necessary configurations:

  • Cross-account IAM role with read permissions

  • Amazon SNS topic for event notifications

  • Apono connector, which runs on AWS EKS

Once installed, the connector syncs data from cloud applications and enables you to manage access permissions through access flows within Amazon EKS.

Prerequisite

Item
Description

AdminstratorAccess Role

AWS role with AdministratorAccess providing full access to AWS services and resources, required for installing the connector

Full AWS access is not granted to Apono.

Install a connector

Follow these steps to install the connector:

  1. On the Catalog tab, click AWS. The Connect Integrations Group page appears.

  2. Under Discovery, click Amazon Account or Amazon Organization.

  3. Click one or more resource types to sync with Apono.

Apono automatically discovers and syncs all the instances in the environment. After syncing, you can manage Access Flows to these resources.

  1. Click Next. The Apono connector section expands.

  2. From the Select Connector dropdown menu, click + Add new connector. The Select connector installation strategy section appears.

  3. Click Cloud installation > CloudFormation + Helm (EKS).

  4. Open the CloudFormation stack. The Create stack page appears.

If you are not already signed in, AWS will prompt you to enter your AWS user account.

  1. Define the following Parameters:

    • EKSClusterName: Name of the EKS cluster where the Apono connector will be deployed.

    • EKSIamMode: Authentication mode used by the EKS connector. Possible values include IRSA (IAM Roles for Service Accounts) or Pod Identity.

    • (Optional) EKSNamespace: Kubernetes namespace in your EKS cluster where the Apono connector service account resides. Defaults to apono-connector if not specified.

    • (Optional) EKSServiceAccountName: Name of the Kubernetes service account associated with the Apono connector in the EKS cluster. Defaults to apono-connector if not specified.

  2. Under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  3. Click Create stack.

  4. On the Outputs tab, copy the Value for the ConnectorRoleArnOutput. This value will be used to deploy the connector.

  5. On the Connectors page, verify that the connector has been deployed.

Now that you have installed the connector for your Account, you must deploy the connector.

Deploy the EKS connector

After installation, the connector must be deployed on your EKS cluster using the Apono Helm chart. You can choose between IRSA or Pod Identity authentication modes, depending on the value you defined for EKSIamMode when installing the connector (step 8).

If using IRSA (IAM Roles for Service Accounts), use the Helm chart below to deploy the connector.

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
  --set-string apono.token=[APONO_TOKEN] \
  --set-string apono.connectorId=[CONNECTOR_ID] \
  --set serviceAccount.manageClusterRoles=[true/false] \
  --set-string serviceAccount.awsRoleArn=[CONNECTOR_ROLE_ARN_OUTPUT] \
  --namespace apono-connector \
  --create-namespace
Parameter
Description

apono.token string

Unique token provided by Apono used to authenticate the connector with the Apono platform Learn how to create a token.

apono.connectorId string

Unique identifier associated with your Apono account

This ID links the Helm deployment to the configured connector.

serviceAccount.manageClusterRoles boolean

True/false flag that determines whether the Helm chart should create the necessary Kubernetes cluster roles and role bindings automatically

serviceAccount.awsRoleArn string

ARN of the IAM role created through CloudFormation, which the connector’s service account uses to access AWS resources securely

After deployment, you can now manage access to your AWS Account from Apono.

If you choose to integrate with the AWS organization, continue to Deploy Organization roles using CloudFormation to allow an AWS Account to assume IAM role permissions to manage access across all AWS Organization accounts.

Deploy Organization roles using CloudFormation

Using IAM role permissions, you can enable the Apono connector to manage an entire AWS Organization. Deploying Organization roles is optional.

Follow these steps to deploy your Organization roles:

  1. Log in to the management account for your AWS Organization.

  2. Open the IAM Identity Center in your AWS organization.

  3. Select the relevant AWS account on the left menu.

  4. Copy the organizational ID.

  5. In CloudFormation, open the Quick create stack page.

  6. Under Parameters, enter values for the following fields:

    1. AponoConnectorId: Copied from the Helm installation.

    2. ConnectorRoleArn: Value copied from step 11 of Install a connector.

    3. OrganizationalUnitId: Organizational Unit ID obtained in step 4.

  7. Click Create stack.

  8. On the Connectors page, verify that the connector has been deployed.

After installation, you can now manage access across your AWS Organization from Apono.

PreviousInstalling a connector on AWS ECS using TerraformNextUpdating a connector in AWS

Last updated

Was this helpful?