Granting AWS Resilience Hub access to resources in your Amazon EKS cluster
AWS Resilience Hub allows you to access resources located on Amazon EKS clusters provided you have configured the required permissions.
To grant required permissions to AWS Resilience Hub for discovering and assessing resources within Amazon EKS cluster
-
Configure an IAM role to access Amazon EKS cluster.
If you have configured your application using role-based access, you can skip this step and proceed to step 2 and use the role that you had used for creating the application. For more information about how AWS Resilience Hub uses IAM roles, see How AWS Resilience Hub works with IAM.
If you have configured your application using current IAM user permissions, you must create
AwsResilienceHubAssessmentEKSAccessRole
IAM role in the same account as that of the Amazon EKS cluster. This IAM role will then be used while accessing your Amazon EKS cluster.While importing and assessing your application, AWS Resilience Hub uses an IAM role to access the resources in your Amazon EKS cluster. This role should be created in the same account as your Amazon EKS cluster and it will be mapped with a Kubernetes group that includes the permissions required by AWS Resilience Hub to assess your Amazon EKS cluster.
If your Amazon EKS cluster is in the same account as the AWS Resilience Hub calling account, the role should be created using the following IAM trust policy. In this IAM trust policy,
caller_IAM_role
is used in the current account to call the APIs for AWS Resilience Hub.Note
The
caller_IAM_role
is the role that is associated with your AWS user account.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::eks_cluster_account_id:role/caller_IAM_role" }, "Action": "sts:AssumeRole" } ] }
If your Amazon EKS cluster is in a cross account (a different account than the AWS Resilience Hub calling account), you must create the
AwsResilienceHubAssessmentEKSAccessRole
IAM role using the following IAM trust policy:Note
As a prerequisite, to access Amazon EKS cluster that is deployed in a different account than the AWS Resilience Hub user’s account, you must configure multi-account access. For more information, see
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::eks_cluster_account_id:role/AwsResilienceHubExecutorRole" }, "Action": "sts:AssumeRole" } ] }
-
Create
ClusterRole
andClusterRoleBinding
(orRoleBinding
) roles for AWS Resilience Hub application.Creating
ClusterRole
andClusterRoleBinding
will grant the required read-only permissions for AWS Resilience Hub to analyze and assess resources that are a part of the certain namespaces in your Amazon EKS cluster.AWS Resilience Hub enables you to limit its access to your namespaces for generating resiliency assessments by completing one of the following:
-
Grant read access across all namespaces to AWS Resilience Hub application.
For AWS Resilience Hub to assess the resiliency of resources across all the namespaces within an Amazon EKS cluster, you must create the following
ClusterRole
andClusterRoleBinding
.-
resilience-hub-eks-access-cluster-role
(ClusterRole
) – Defines the permissions required by AWS Resilience Hub to assess your Amazon EKS cluster. -
resilience-hub-eks-access-cluster-role-binding
(ClusterRoleBinding
) – Defines a group namedresilience-hub-eks-access-group
in your Amazon EKS cluster granting its users, the required permissions to run resiliency assessments in AWS Resilience Hub.
The template to grant read access across all namespaces to AWS Resilience Hub application is as follows:
cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: resilience-hub-eks-access-cluster-role rules: - apiGroups: - "" resources: - pods - replicationcontrollers - nodes verbs: - get - list - apiGroups: - apps resources: - deployments - replicasets verbs: - get - list - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - apiGroups: - autoscaling.k8s.io resources: - verticalpodautoscalers verbs: - get - list - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - apiGroups: - karpenter.sh resources: - provisioners verbs: - get - list - apiGroups: - karpenter.k8s.aws resources: - awsnodetemplates verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: resilience-hub-eks-access-cluster-role-binding subjects: - kind: Group name: resilience-hub-eks-access-group apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: resilience-hub-eks-access-cluster-role apiGroup: rbac.authorization.k8s.io --- EOF
-
-
Granting AWS Resilience Hub the access to read specific namespaces.
You can limit AWS Resilience Hub to access resources within a specific set of namespaces using
RoleBinding
. To achieve this, you must create the following roles:-
ClusterRole
– For AWS Resilience Hub to access the resources in specific namespaces within an Amazon EKS cluster and assess its resiliency, you must create the followingClusterRole
roles.-
resilience-hub-eks-access-cluster-role
– Specifies the necessary permissions to assess the resources within specific namespaces. -
resilience-hub-eks-access-global-cluster-role
– Specifies the necessary permissions to assess cluster-scoped resources, which are not associated to a specific namespace, within your Amazon EKS clusters. AWS Resilience Hub requires permissions to access cluster-scoped resources (such as nodes) on your Amazon EKS cluster to assess the resiliency of your application.
The template to create
ClusterRole
role is as follows:cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: resilience-hub-eks-access-cluster-role rules: - apiGroups: - "" resources: - pods - replicationcontrollers verbs: - get - list - apiGroups: - apps resources: - deployments - replicasets verbs: - get - list - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - apiGroups: - autoscaling.k8s.io resources: - verticalpodautoscalers verbs: - get - list - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: resilience-hub-eks-access-global-cluster-role rules: - apiGroups: - "" resources: - nodes verbs: - get - list - apiGroups: - karpenter.sh resources: - provisioners verbs: - get - list - apiGroups: - karpenter.k8s.aws resources: - awsnodetemplates verbs: - get - list --- EOF
-
-
RoleBinding
role – This role grants the required permissions for AWS Resilience Hub to access resources within specific namespaces. That is, you must createRoleBinding
role in each namespace to enable AWS Resilience Hub to access resources within the given namespace.Note
If you are using
ClusterAutoscaler
for autoscaling, you must additionally createRoleBinding
in thekube-system
. This is necessary to assess yourClusterAutoscaler
, which is a part of thekube-system
namespace.By doing this, you will grant AWS Resilience Hub the required permissions to assess resources inside the
kube-system
namespace while assessing your Amazon EKS cluster.The template to create
RoleBinding
role is as follows:cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: resilience-hub-eks-access-cluster-role-binding namespace: <namespace> subjects: - kind: Group name: resilience-hub-eks-access-group apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: resilience-hub-eks-access-cluster-role apiGroup: rbac.authorization.k8s.io --- EOF
-
ClusterRoleBinding
role – This role grants the required permissions for AWS Resilience Hub to access cluster-scoped resources.The template to create
ClusterRoleBinding
role is as follows:cat << EOF | kubectl apply -f - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: resilience-hub-eks-access-global-cluster-role-binding subjects: - kind: Group name: resilience-hub-eks-access-group apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: resilience-hub-eks-access-global-cluster-role apiGroup: rbac.authorization.k8s.io --- EOF
-
-
-
Update the
aws-auth ConfigMap
to map theresilience-hub-eks-access-group
with the IAM role that is used for accessing Amazon EKS cluster.This step creates a mapping between the IAM role used in step 1 with the Kubernetes group created in step 2. This mapping grants permissions to IAM roles for accessing resources inside the Amazon EKS cluster.
Note
-
ROLE-NAME
refers to the IAM role that is used for accessing Amazon EKS cluster.-
If your application is configured to use role-based access, the role should be either the invoker role or secondary account role that is passed to AWS Resilience Hub while creating the application.
-
If your application is configured to use the current IAM user for accessing resources, it must be the
AwsResilienceHubAssessmentEKSAccessRole
.
-
-
ACCOUNT-ID
should be the AWS account ID of the Amazon EKS cluster.
You can create the
aws-auth
ConfigMap
using one of the following ways:-
Using
eksctl
Use the following command to update the
aws-auth
ConfigMap
:eksctl create iamidentitymapping \ --cluster <cluster-name> \ --region=<region-code> \ --arn arn:aws:iam::<ACCOUNT-ID>:role/<ROLE-NAME>\ --group resilience-hub-eks-access-group \ --username AwsResilienceHubAssessmentEKSAccessRole
-
You can manually edit
aws-auth
ConfigMap
by adding the IAM role details tomapRoles
section of theConfigMap
under data. Use the following command to edit theaws-auth
ConfigMap
.kubectl edit -n kube-system configmap/aws-auth
mapRoles
section consists of the following parameters:-
rolearn
– The Amazon Resource Name (ARN) of the IAM role to be added.-
ARN Syntax –
arn:aws:iam::<ACCOUNT-ID>:role/<ROLE-NAME>
.
-
-
username
– The username within Kubernetes to be mapped to the IAM role (AwsResilienceHubAssessmentEKSAccessRole
). -
groups
– The group names should match the group names created in Step 2 (resilience-hub-eks-access-group
).
Note
If
mapRoles
section does not exist, you must manually add this section.Use the following template to add the IAM role details to
mapRoles
section of theConfigMap
under data.- groups: - resilience-hub-eks-access-group rolearn: arn:aws:iam::<ACCOUNT-ID>:role/<ROLE-NAME> username: AwsResilienceHubAssessmentEKSAccessRole
-
-