Installing a Connector on EKS Using Helm and AWS CLI
This guide is intended for admins managing a Connector in the environment
You have chosen the advanced installation method
You can also easily connect AWS in Apono following this UI guide here
How to install the Connector on EKS Using Helm and AWS CLI
Prerequisite
Required: eksctl, helm, awscli, kubectl
Step 1 - Create Connector
- Login to Apono and create connector in the Connector Page
Important: before you start, copy the connector CLI params and export them in the terminal.
Step 2 - Add EKS cluster OIDC provider to your IAM
It's required that your EKS cluster OIDC provider will be added to your IAM.
# EKS Cluster name can be found in the AWS EKS portal
export EKS_CLUSTER_NAME=PLEASE_REPLACE_WITH_CLUSTER_NAME
# Select the region that the EKS Cluster region runs on
export REGION=PLEASE_REPLACE_WITH_REGION
eksctl utils associate-iam-oidc-provider --region="${REGION}" --cluster="${EKS_CLUSTER_NAME}" --approve
Step 3 - Create the Connector IAM role
The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.
Configure params
# The EKS AWS ID
export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
echo "account id is ${ACCOUNT_ID}"
# The EKS OIDC Provider ID
export OIDC_PROVIDER=$(aws eks describe-cluster --name "${EKS_CLUSTER_NAME}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
echo "oidc provider is ${OIDC_PROVIDER}"
# The name of the connector service account. This name will be used for recognizing the connector pod.
export K8S_SERVICE_ACCOUNT="apono-service-account"
# The Kubernetes namespace for installing the connector
export K8S_NAMESPACE="apono"
Create the Connector Role
aws iam create-role --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::'"${ACCOUNT_ID}"':oidc-provider/'"${OIDC_PROVIDER}"'"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"'"${OIDC_PROVIDER}"':sub": "system:serviceaccount:'"${K8S_NAMESPACE}"':'"${K8S_SERVICE_ACCOUNT}"'"
}
}
}]
}'
Step 4 - Assign Role Policies
aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
"Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
"Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
}]
}'
aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:Sign",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/apono-connector-read": "true"
}
}
}
]
}'
aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-iam-policy" --policy-document '{
"Version": "2012-10-17",
"Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
"Effect":"Allow",
"Resource":"*"},
{"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
"Effect":"Allow",
"Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'
aws iam attach-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-arn "arn:aws:iam::aws:policy/SecurityAudit"
Step 5- Deploy Apono Connector
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
--namespace "${K8S_NAMESPACE}" \
--set serviceAccount.name="${K8S_SERVICE_ACCOUNT}" \
--set serviceAccount.awsRoleAccountId=${ACCOUNT_ID} \
--set serviceAccount.awsRoleName="${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" \
--set apono.token="${APONO_TOKEN}" \
--set apono.connectorId="${CONNECTOR_ID}" \
--create-namespace
Validate the Connector is Connected
You can validate the Connector is installed in the Connector status page.
Updated about 2 months ago