LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • How to install the Connector on EKS Using Helm and AWS CLI
  • Prerequisite
  • Step 1 - Create Connector
  • Step 2 - Add EKS cluster OIDC provider to your IAM
  • Step 3 - Create the Connector IAM role
  • Step 4 - Assign Role Policies
  • Step 5- Deploy Apono Connector
  • Validate the Connector is Connected

Was this helpful?

Export as PDF
  1. AWS ENVIRONMENT
  2. Apono Connector for AWS

Installing a Connector on EKS Using Helm and AWS CLI

This guide is intended for admins managing a Connector in the environment

Last updated 6 months ago

Was this helpful?

You have chosen the advanced installation method

You can also easily connect AWS in Apono following this UI guide .

How to install the Connector on EKS Using Helm and AWS CLI

Prerequisite

Required: eksctl, helm, awscli, kubectl

Step 1 - Create Connector

  • Login to Apono and create connector in the

Important: before you start, copy the connector CLI params and export them in the terminal.

Step 2 - Add EKS cluster OIDC provider to your IAM

It's required that your EKS cluster OIDC provider will be added to your IAM.

# EKS Cluster name can be found in the AWS EKS portal
export EKS_CLUSTER_NAME=PLEASE_REPLACE_WITH_CLUSTER_NAME

# Select the region that the EKS Cluster region runs on
export REGION=PLEASE_REPLACE_WITH_REGION
eksctl utils associate-iam-oidc-provider --region="${REGION}" --cluster="${EKS_CLUSTER_NAME}" --approve

Step 3 - Create the Connector IAM role

The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.

Configure params

# The EKS AWS ID
export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
echo "account id is ${ACCOUNT_ID}" 

# The EKS OIDC Provider ID
export OIDC_PROVIDER=$(aws eks describe-cluster --name "${EKS_CLUSTER_NAME}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
echo "oidc provider is ${OIDC_PROVIDER}" 

# The name of the connector service account. This name will be used for recognizing the connector pod.
export K8S_SERVICE_ACCOUNT="apono-service-account"

# The Kubernetes namespace for installing the connector
export K8S_NAMESPACE="apono"

Create the Connector Role

aws iam create-role --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::'"${ACCOUNT_ID}"':oidc-provider/'"${OIDC_PROVIDER}"'"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "'"${OIDC_PROVIDER}"':sub": "system:serviceaccount:'"${K8S_NAMESPACE}"':'"${K8S_SERVICE_ACCOUNT}"'"
      }
    }
  }]
}'

Step 4 - Assign Role Policies

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
      "Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
      "Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
    }]
}'

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{  
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Sign",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/apono-connector-read": "true"
                }
            }
        }
    ]
}'

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-iam-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
    "Effect":"Allow",
    "Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'

aws iam attach-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-arn "arn:aws:iam::aws:policy/SecurityAudit"

Step 5- Deploy Apono Connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --namespace "${K8S_NAMESPACE}" \
    --set serviceAccount.name="${K8S_SERVICE_ACCOUNT}" \
    --set serviceAccount.awsRoleAccountId=${ACCOUNT_ID} \
    --set serviceAccount.awsRoleName="${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" \
    --set apono.token="${APONO_TOKEN}" \
    --set apono.connectorId="${CONNECTOR_ID}" \
    --create-namespace

Validate the Connector is Connected

You can validate the Connector is installed in the .

here
Connector Page
Connector status page