Envoy Proxy authorization
Proxy authorization authorizes the Envoy proxy running within
an Amazon ECS task, in a Kubernetes pod running on Amazon EKS, or running on an Amazon
EC2 instance to read the
configuration of one or more mesh endpoints from the App Mesh Envoy Management
Service. Proxy authorization is required for virtual nodes that use Transport Layer Security (TLS) and
for virtual gateways (with or without TLS), but will eventually be required for all
App Mesh
capabilities. Until proxy authorization is required for all App Mesh capabilities,
it is only
required if specifically mentioned in the documentation for the capability. It is
recommended to
enable proxy authorization for all virtual nodes, even if they don't use TLS, to have
a secure
and consistent experience using IAM for authorization to specific resources. Proxy
authorization requires that the appmesh:StreamAggregatedResources
permission is
specified in an IAM policy. The policy must be attached to an IAM role, and that IAM
role
must be attached to the compute resource that you host the proxy on.
Create IAM policy
If you want all mesh endpoints in a service mesh to be able to read the
configuration for all mesh endpoints, then skip to Create IAM role. If you want to limit the mesh endpoints that configuration can be read
from by individual mesh endpoints, then you need to create one or more
IAM policies. Limiting the mesh endpoints that configuration can be read from to only
the
Envoy proxy running on specific compute resources is recommended. Create an IAM policy
and add
the appmesh:StreamAggregatedResources
permission to the policy. The following
example policy allows the configuration of the virtual nodes named serviceBv1
and
serviceBv2
to be read in a service mesh. Configuration can't be read for any
other virtual nodes defined in the service mesh. For more information about creating
or
editing an IAM policy, see Creating IAM
Policies and Edit IAM
Policies.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "appmesh:StreamAggregatedResources", "Resource": [ "arn:aws:appmesh:us-east-1:123456789012:mesh/app1/virtualNode/serviceBv1", "arn:aws:appmesh:us-east-1:123456789012:mesh/app1/virtualNode/serviceBv2" ] } ] }
You can create multiple policies, with each policy restricting access to different mesh endpoints.
Create IAM role
If you want all mesh endpoints in a service mesh to be able to read the configuration for all mesh endpoints, then you only need to create one IAM role. If you want to limit the mesh endpoints that configuration can be read from by individual mesh endpoints, then you need to create a role for each policy that you created in the previous step. Complete the instructions for the compute resource that the proxy runs on.
-
Amazon EKS – If you want to use a singe role, then you can use the existing role that was created and assigned to the worker nodes when you created your cluster. To use multiple roles, your cluster must meet the requirements defined in Enabling IAM Roles for Service Accounts on your Cluster. Create the IAM roles and associate the roles with Kubernetes service accounts. For more information, see Creating an IAM Role and Policy for your Service Account and Specifying an IAM Role for your Service Account.
-
Amazon ECS – Select AWS service, select Elastic Container Service, and then select the Elastic Container Service Task use case when creating your IAM role.
-
Amazon EC2 – Select AWS service, select EC2, and then select the EC2 use case when creating your IAM role. This applies whether you host the proxy directly on an Amazon EC2 instance or on Kubernetes running on an instance.
For more information about how to create an IAM role, see Creating a Role for an AWS Service.
Attach IAM policy
If you want all mesh endpoints in a service mesh to be able to read the configuration
for
all mesh endpoints, then attach the AWSAppMeshEnvoyAccess
managed IAM policy to the IAM role that you
created in a previous step. If you want to limit the mesh endpoints that configuration
can be
read from by individual mesh endpoints, then attach each policy that you created to
each role
that you created. For more information about attaching a custom or managed IAM policy
to an
IAM role, see Adding
IAM Identity Permissions.
Attach IAM role
Attach each IAM role to the appropriate compute resource:
-
Amazon EKS – If you attached the policy to the role attached to your worker nodes, you can skip this step. If you created separate roles, then assign each role to a separate Kubernetes service account, and assign each service account to an individual Kubernetes pod deployment spec that includes the Envoy proxy. For more information, see Specifying an IAM Role for your Service Account in the Amazon EKS User Guide and Configure Service Accounts for Pods
in the Kubernetes documentation. -
Amazon ECS – Attach an Amazon ECS Task Role to the task definition that includes the Envoy proxy. The task can be deployed with the EC2 or Fargate launch type. For more information about how to create an Amazon ECS Task Role and attach it to a task, see Specifying an IAM Role for your Tasks.
-
Amazon EC2 – The IAM role must be attached to the Amazon EC2 instance that hosts the Envoy proxy. For more information about how to attach a role to an Amazon EC2 instance, see I’ve created an IAM role, and now I want to assign it to an EC2 instance
.
Confirm permission
Confirm that the appmesh:StreamAggregatedResources
permission is assigned to
the compute resource that you host the proxy on by selecting one of the compute service
names.