Mengatur peran IAM untuk akun layanan

Dengan peran IAM untuk akun layanan, Anda dapat mengaitkan peran IAM dengan akun layanan Kubernetes. Akun layanan ini kemudian dapat menyediakan izin AWS ke kontainer-kontainer di setiap pod yang menggunakan akun layanan tersebut. Untuk informasi selengkapnya, lihat peran IAM untuk akun layanan.

Peran IAM untuk akun layanan juga dikenal sebagai peran layanan.

Di Amazon Managed Service for Prometheus, menggunakan peran layanan dapat membantu Anda mendapatkan peran yang Anda perlukan untuk mengotorisasi dan mengautentikasi antara Amazon Managed Service untuk Prometheus, server Prometheus, dan server Grafana.

Prasyarat

Prosedur pada halaman ini mengharuskan Anda menginstal antarmuka baris perintah AWS CLI dan EKSCTL.

Menyiapkan peran layanan untuk menelan metrik dari kluster Amazon EKS

Untuk menyiapkan peran layanan guna mengaktifkan Layanan Terkelola Amazon untuk Prometheus untuk mengambil metrik dari server Prometheus di kluster Amazon EKS, Anda harus masuk ke akun dengan izin berikut:

• iam:CreateRole

• iam:CreatePolicy

• iam:GetRole

• iam:AttachRolePolicy

• iam:GetOpenIDConnectProvider

Untuk mengatur peran layanan untuk masuk ke Amazon Managed Service untuk Prometheus

1. Buat file dengan nama createIRSA-AMPIngest.sh dengan konten berikut ini. Ganti <my_amazon_eks_clustername> dengan nama cluster Anda, dan ganti <my_prometheus_namespace> dengan namespace Prometheus Anda.

   #!/bin/bash -e
   CLUSTER_NAME=<my_amazon_eks_clustername>
   SERVICE_ACCOUNT_NAMESPACE=<my_prometheus_namespace>
   AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
   OIDC_PROVIDER=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
   SERVICE_ACCOUNT_AMP_INGEST_NAME=amp-iamproxy-ingest-service-account
   SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE=amp-iamproxy-ingest-role
   SERVICE_ACCOUNT_IAM_AMP_INGEST_POLICY=AMPIngestPolicy
   #
   # Set up a trust policy designed for a specific combination of K8s service account and namespace to sign in from a Kubernetes cluster which hosts the OIDC Idp.
   #
   cat <<EOF > TrustPolicy.json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
         },
         "Action": "sts:AssumeRoleWithWebIdentity",
         "Condition": {
           "StringEquals": {
             "${OIDC_PROVIDER}:sub": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_AMP_INGEST_NAME}"
           }
         }
       }
     ]
   }
   EOF
   #
   # Set up the permission policy that grants ingest (remote write) permissions for all AMP workspaces
   #
   cat <<EOF > PermissionPolicyIngest.json
   {
     "Version": "2012-10-17",
      "Statement": [
          {"Effect": "Allow",
           "Action": [
              "aps:RemoteWrite", 
              "aps:GetSeries", 
              "aps:GetLabels",
              "aps:GetMetricMetadata"
           ], 
           "Resource": "*"
         }
      ]
   }
   EOF
   
   function getRoleArn() {
     OUTPUT=$(aws iam get-role --role-name $1 --query 'Role.Arn' --output text 2>&1)
   
     # Check for an expected exception
     if [[ $? -eq 0 ]]; then
       echo $OUTPUT
     elif [[ -n $(grep "NoSuchEntity" <<< $OUTPUT) ]]; then
       echo ""
     else
       >&2 echo $OUTPUT
       return 1
     fi
   }
   
   #
   # Create the IAM Role for ingest with the above trust policy
   #
   SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN=$(getRoleArn $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE)
   if [ "$SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN" = "" ]; 
   then
     #
     # Create the IAM role for service account
     #
     SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN=$(aws iam create-role \
     --role-name $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE \
     --assume-role-policy-document file://TrustPolicy.json \
     --query "Role.Arn" --output text)
     #
     # Create an IAM permission policy
     #
     SERVICE_ACCOUNT_IAM_AMP_INGEST_ARN=$(aws iam create-policy --policy-name $SERVICE_ACCOUNT_IAM_AMP_INGEST_POLICY \
     --policy-document file://PermissionPolicyIngest.json \
     --query 'Policy.Arn' --output text)
     #
     # Attach the required IAM policies to the IAM role created above
     #
     aws iam attach-role-policy \
     --role-name $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE \
     --policy-arn $SERVICE_ACCOUNT_IAM_AMP_INGEST_ARN  
   else
       echo "$SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN IAM role for ingest already exists"
   fi
   echo $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN
   #
   # EKS cluster hosts an OIDC provider with a public discovery endpoint.
   # Associate this IdP with AWS IAM so that the latter can validate and accept the OIDC tokens issued by Kubernetes to service accounts.
   # Doing this with eksctl is the easier and best approach.
   #
   eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve

2. Masukkan perintah berikut untuk memberikan skrip hak istimewa yang diperlukan.

   chmod +x createIRSA-AMPIngest.sh

3. Jalankan penulisan.

Menyiapkan peran IAM untuk akun layanan untuk kueri metrik

Untuk menyiapkan peran IAM untuk akun layanan (peran layanan) guna mengaktifkan kueri metrik dari Amazon Managed Service untuk ruang kerja Prometheus, Anda harus masuk ke akun dengan izin berikut:

• iam:CreateRole

• iam:CreatePolicy

• iam:GetRole

• iam:AttachRolePolicy

• iam:GetOpenIDConnectProvider

Untuk menyiapkan peran layanan untuk kueri Amazon Managed Service untuk metrik Prometheus;

1. Buat file dengan nama createIRSA-AMPQuery.sh dengan konten berikut ini. Ganti <my_amazon_eks_clustername> dengan nama cluster Anda, dan ganti <my_prometheus_namespace>dengan namespace Prometheus Anda.

   #!/bin/bash -e
   CLUSTER_NAME=<my_amazon_eks_clustername>
   SERVICE_ACCOUNT_NAMESPACE=<my_prometheus_namespace>
   AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
   OIDC_PROVIDER=$(aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
   SERVICE_ACCOUNT_AMP_QUERY_NAME=amp-iamproxy-query-service-account
   SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE=amp-iamproxy-query-role
   SERVICE_ACCOUNT_IAM_AMP_QUERY_POLICY=AMPQueryPolicy
   #
   # Setup a trust policy designed for a specific combination of K8s service account and namespace to sign in from a Kubernetes cluster which hosts the OIDC Idp.
   #
   cat <<EOF > TrustPolicy.json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
         },
         "Action": "sts:AssumeRoleWithWebIdentity",
         "Condition": {
           "StringEquals": {
             "${OIDC_PROVIDER}:sub": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_AMP_QUERY_NAME}"
           }
         }
       }
     ]
   }
   EOF
   #
   # Set up the permission policy that grants query permissions for all AMP workspaces
   #
   cat <<EOF > PermissionPolicyQuery.json
   {
     "Version": "2012-10-17",
      "Statement": [
          {"Effect": "Allow",
           "Action": [
              "aps:QueryMetrics",
              "aps:GetSeries", 
              "aps:GetLabels",
              "aps:GetMetricMetadata"
           ], 
           "Resource": "*"
         }
      ]
   }
   EOF
   
   function getRoleArn() {
     OUTPUT=$(aws iam get-role --role-name $1 --query 'Role.Arn' --output text 2>&1)
   
     # Check for an expected exception
     if [[ $? -eq 0 ]]; then
       echo $OUTPUT
     elif [[ -n $(grep "NoSuchEntity" <<< $OUTPUT) ]]; then
       echo ""
     else
       >&2 echo $OUTPUT
       return 1
     fi
   }
   
   #
   # Create the IAM Role for query with the above trust policy
   #
   SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN=$(getRoleArn $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE)
   if [ "$SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN" = "" ]; 
   then
     #
     # Create the IAM role for service account
     #
     SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN=$(aws iam create-role \
     --role-name $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE \
     --assume-role-policy-document file://TrustPolicy.json \
     --query "Role.Arn" --output text)
     #
     # Create an IAM permission policy
     #
     SERVICE_ACCOUNT_IAM_AMP_QUERY_ARN=$(aws iam create-policy --policy-name $SERVICE_ACCOUNT_IAM_AMP_QUERY_POLICY \
     --policy-document file://PermissionPolicyQuery.json \
     --query 'Policy.Arn' --output text)
     #
     # Attach the required IAM policies to the IAM role create above
     #
     aws iam attach-role-policy \
     --role-name $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE \
     --policy-arn $SERVICE_ACCOUNT_IAM_AMP_QUERY_ARN  
   else
       echo "$SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN IAM role for query already exists"
   fi
   echo $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN
   #
   # EKS cluster hosts an OIDC provider with a public discovery endpoint.
   # Associate this IdP with AWS IAM so that the latter can validate and accept the OIDC tokens issued by Kubernetes to service accounts.
   # Doing this with eksctl is the easier and best approach.
   #
   eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve

2. Masukkan perintah berikut untuk memberikan skrip hak istimewa yang diperlukan.

   chmod +x createIRSA-AMPQuery.sh

3. Jalankan penulisan.