Installing a Connector on EKS Using CLI

This guide is intended for admins managing a Connector in the environment

📘

You have chosen the advanced installation method

If can also easily connect AWS in Apono following this UI guide here

How to install the Connector on EKS

Prerequisites

It's required that your EKS cluster OIDC provider will be added in your IAM.
This step is required only once, and you may have already done it.

  • required: eksctl, helm
  • replace #REGION, #EKS_CLUSTER_NAME
eksctl utils associate-iam-oidc-provider --region="#REGION" --cluster="#EKS_CLUSTER_NAME" --approve

Deploying the Connector

The Connector is deployed using helm and requires and IAM Role to be able to access tagged ASM secrets in the future

create IAM role to allow connector read access for apono tagged secrets

  • Get AWS Account
  • Replace #EKS_CLUSTER_NAME, #K8S_SERVICE_ACCOUNT
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) && OIDC_PROVIDER=$(aws eks describe-cluster --name "#EKS_CLUSTER_NAME" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
  • Create Connector Role
aws iam create-role --role-name "{{#K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::'"${ACCOUNT_ID}"':oidc-provider/'"${OIDC_PROVIDER}"'"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "'"${OIDC_PROVIDER}"':sub": "system:serviceaccount:{{K8S_NAMESPACE}}:{{K8S_SERVICE_ACCOUNT}}"
      }
    }
  }]
}'
  • Assign Role Policies
aws iam put-role-policy --role-name "{{#K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
      "Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
      "Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
    }]
}'

aws iam put-role-policy --role-name "{{#K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{  
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Sign",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/apono-connector-read": "true"
                }
            }
        }
    ]
}'

aws iam put-role-policy --role-name "{{#K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-iam-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
    "Effect":"Allow",
    "Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'

aws iam put-role-policy --role-name "{{#K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-read-objects-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["rds:DescribeDBInstances","rds:ListTagsForResource"],
    "Effect":"Allow",
    "Resource":"arn:aws:rds:*:*:db:*"},
    {"Action":["ssm:GetParameters*"],
    "Effect":"Allow",
    "Resource":"arn:aws:ssm:*:*:parameter/*"},
    {"Action":["ssm:DescribeParameters"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["s3:GetBucketTagging","s3:ListAllMyBuckets","s3:ListBucket","s3:GetBucketLocation"],
    "Effect":"Allow",
    "Resource":"arn:aws:s3:::*"}]
}'

aws iam put-role-policy --role-name "{{#K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" --policy-name "apono-read-resource-tags" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }]
}'
  • Deploy Apono Connector
helm install apono-connector https://apono-io.github.io/apono-helm-charts/apono-connector/apono-connector-2.0.0.tgz \
    --namespace "{{K8S_NAMESPACE}}" \
    --set serviceAccount.name="{{K8S_SERVICE_ACCOUNT}}" \
    --set serviceAccount.awsRoleAccountId=`aws sts get-caller-identity --output text --query Account` \
    --set serviceAccount.awsRoleName="{{K8S_SERVICE_ACCOUNT}}-{{CONNECTOR_ID}}" \
    --set apono.token="{{TOKEN}}" \
    --set apono.url="{{APONO_WEBSOCKET_URL}}" \
    --set apono.connectorId="{{CONNECTOR_ID}}" \
    --create-namespace