Installing a Connector on EKS Using Helm and AWS CLI

This guide is intended for admins managing a Connector in the environment

How to install the Connector on EKS Using Helm and AWS CLI

Prerequisite

Required: eksctl, helm, awscli, kubectl

Step 1 - Create Connector

Important: before you start, copy the connector CLI params and export them in the terminal.

Step 2 - Add EKS cluster OIDC provider to your IAM

It's required that your EKS cluster OIDC provider will be added to your IAM.

# EKS Cluster name can be found in the AWS EKS portal
export EKS_CLUSTER_NAME=PLEASE_REPLACE_WITH_CLUSTER_NAME

# Select the region that the EKS Cluster region runs on
export REGION=PLEASE_REPLACE_WITH_REGION
eksctl utils associate-iam-oidc-provider --region="${REGION}" --cluster="${EKS_CLUSTER_NAME}" --approve

Step 3 - Create the Connector IAM role

The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.

Configure params

# The EKS AWS ID
export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
echo "account id is ${ACCOUNT_ID}" 

# The EKS OIDC Provider ID
export OIDC_PROVIDER=$(aws eks describe-cluster --name "${EKS_CLUSTER_NAME}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
echo "oidc provider is ${OIDC_PROVIDER}" 

# The name of the connector service account. This name will be used for recognizing the connector pod.
export K8S_SERVICE_ACCOUNT="apono-service-account"

# The Kubernetes namespace for installing the connector
export K8S_NAMESPACE="apono"

Create the Connector Role

aws iam create-role --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::'"${ACCOUNT_ID}"':oidc-provider/'"${OIDC_PROVIDER}"'"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "'"${OIDC_PROVIDER}"':sub": "system:serviceaccount:'"${K8S_NAMESPACE}"':'"${K8S_SERVICE_ACCOUNT}"'"
      }
    }
  }]
}'

Step 4 - Assign Role Policies

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
      "Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
      "Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
    }]
}'

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{  
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Sign",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/apono-connector-read": "true"
                }
            }
        }
    ]
}'

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-iam-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
    "Effect":"Allow",
    "Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'

aws iam attach-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-arn "arn:aws:iam::aws:policy/SecurityAudit"

Step 5- Deploy Apono Connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --namespace "${K8S_NAMESPACE}" \
    --set serviceAccount.name="${K8S_SERVICE_ACCOUNT}" \
    --set serviceAccount.awsRoleAccountId=${ACCOUNT_ID} \
    --set serviceAccount.awsRoleName="${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" \
    --set apono.token="${APONO_TOKEN}" \
    --set apono.connectorId="${CONNECTOR_ID}" \
    --create-namespace

Validate the Connector is Connected

You can validate the Connector is installed in the Connector status page.

Last updated

Was this helpful?