Installing a Connector on EKS Using Helm and AWS CLI

This guide is intended for admins managing a Connector in the environment

πŸ“˜

You have chosen the advanced installation method

You can also easily connect AWS in Apono following this UI guide here

How to install the Connector on EKS Using Helm and AWS CLI

Prerequisite

Required: eksctl, helm, awscli, kubectl

Step 1 - Create Connector

Important: before you start, copy the connector CLI params and export them in the terminal.

Step 2 - Add EKS cluster OIDC provider to your IAM

It's required that your EKS cluster OIDC provider will be added to your IAM.

# EKS Cluster name can be found in the AWS EKS portal
export EKS_CLUSTER_NAME=PLEASE_REPLACE_WITH_CLUSTER_NAME

# Select the region that the EKS Cluster region runs on
export REGION=PLEASE_REPLACE_WITH_REGION
eksctl utils associate-iam-oidc-provider --region="${REGION}" --cluster="${EKS_CLUSTER_NAME}" --approve

Step 3 - Create the Connector IAM role

The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.

Configure params

# The EKS AWS ID
export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
echo "account id is ${ACCOUNT_ID}" 

# The EKS OIDC Provider ID
export OIDC_PROVIDER=$(aws eks describe-cluster --name "${EKS_CLUSTER_NAME}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
echo "oidc provider is ${OIDC_PROVIDER}" 

# The name of the connector service account. This name will be used for recognizing the connector pod.
export K8S_SERVICE_ACCOUNT="apono-service-account"

# The Kubernetes namespace for installing the connector
export K8S_NAMESPACE="apono"

Create the Connector Role

aws iam create-role --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::'"${ACCOUNT_ID}"':oidc-provider/'"${OIDC_PROVIDER}"'"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "'"${OIDC_PROVIDER}"':sub": "system:serviceaccount:'"${K8S_NAMESPACE}"':'"${K8S_SERVICE_ACCOUNT}"'"
      }
    }
  }]
}'

Step 4 - Assign Role Policies

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-secrets-access-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
      "Resource": "arn:aws:secretsmanager:*:'"${ACCOUNT_ID}"':secret:*",
      "Condition": { "StringEquals": {"aws:ResourceTag/apono-connector-read": "true"} }
    }]
}'

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-tagged-kms-keys-access-policy" --policy-document '{  
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Sign",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/apono-connector-read": "true"
                }
            }
        }
    ]
}'

aws iam put-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-name "apono-iam-policy" --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{"Action":["iam:ListPolicies","iam:CreateInstanceProfile","iam:ListGroups","iam:ListInstanceProfiles"],
    "Effect":"Allow",
    "Resource":"*"},
    {"Action":["iam:CreateInstanceProfile","iam:GetRole","iam:UpdateAssumeRolePolicy","iam:ListRoleTags","iam:TagRole","iam:CreateRole","iam:DeleteRole","iam:AttachRolePolicy","iam:PutRolePolicy","iam:AddRoleToInstanceProfile","iam:ListInstanceProfilesForRole","iam:DetachRolePolicy","iam:ListAttachedRolePolicies","iam:DeleteRolePolicy","iam:ListAttachedGroupPolicies","iam:ListRolePolicies","iam:GetRolePolicy","iam:PassRole","iam:GetInstanceProfile","iam:CreateUser","iam:CreateAccessKey","iam:DeleteAccessKey","iam:PutUserPolicy","iam:DeleteUserPolicy","iam:GetUser","iam:GetUserPolicy","iam:ListAttachedUserPolicies","iam:ListUserPolicies","iam:UpdateLoginProfile","iam:ListAccessKeys","iam:AttachUserPolicy","iam:DetachUserPolicy","iam:CreateLoginProfile"],
    "Effect":"Allow",
    "Resource":["arn:aws:iam::*:instance-profile/*","arn:aws:iam::*:role/*","arn:aws:iam::*:group/*","arn:aws:iam::*:user/*"]}]
}'

aws iam attach-role-policy --role-name "${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" --policy-arn "arn:aws:iam::aws:policy/SecurityAudit"

Step 5- Deploy Apono Connector

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --namespace "${K8S_NAMESPACE}" \
    --set serviceAccount.name="${K8S_SERVICE_ACCOUNT}" \
    --set serviceAccount.awsRoleAccountId=${ACCOUNT_ID} \
    --set serviceAccount.awsRoleName="${K8S_SERVICE_ACCOUNT}-${CONNECTOR_ID}" \
    --set apono.token="${APONO_TOKEN}" \
    --set apono.connectorId="${CONNECTOR_ID}" \
    --create-namespace

Validate the Connector is Connected

You can validate the Connector is installed in the Connector status page.