Prerequisites
- Linux terminal is required to run the below commands.
- Existing EKS cluster
- aws cli required.
- eksctl required.
Run the below commands in Linux terminal from where you have IAM and cluster privileges.
1. cluster_name=<clustername> #update clustername
2. oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
3. echo $oidc_id #you will get value similar to 1C95A273C0D216B6A2680D413835C8F7
4. eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
5. aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 #we should get oidc value
#update OIDC value,Region and Account ID in the below command then run it.
6. cat <<EOF > trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<Account ID>:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/1C95A273C0D216B6A2680D413835C8F7"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-1.amazonaws.com/id/1C95A273C0D216B6A2680D413835C8F7:sub": "system:serviceaccount:datagaps:datagaps"
}
}
}
]
}
EOF
7. aws iam create-role \
--role-name datagaps-eks-emr-role \
--assume-role-policy-document file://"trust-policy.json"
#In the below command update Account Number and bucketname given for EMR cluster
8. cat <<EOF >datagaps-emr-eks-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cloudformation1",
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStackInstances",
"cloudformation:DescribeStackInstance",
"cloudformation:ListStackInstances",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:CreateStackInstances",
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:TagResource",
"cloudformation:UntagResource"
],
"Resource": "arn:aws:cloudformation:*:<AccountNumber>:stack/*/*"
},
{
"Sid": "cloudformation2",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:ListStacks",
"cloudformation:DescribeType",
"cloudformation:ListTypes",
"cloudformation:DescribeAccountLimits",
"cloudformation:ListTypeVersions"
],
"Resource": "*"
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::<bucketname>"
]
},
{
"Sid": "EMR1",
"Effect": "Allow",
"Action": [
"elasticmapreduce:GetManagedScalingPolicy",
"elasticmapreduce:PutManagedScalingPolicy",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:PutAutoScalingPolicy",
"elasticmapreduce:ModifyCluster",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:SetTerminationProtection",
"elasticmapreduce:ModifyInstanceFleet",
"elasticmapreduce:ListInstances",
"elasticmapreduce:ModifyInstanceGroups",
"elasticmapreduce:RemoveTags",
"elasticmapreduce:AddTags",
"elasticmapreduce:TerminateJobFlows"
],
"Resource": "arn:aws:elasticmapreduce:*:<AccountNumber>:cluster/*"
},
{
"Sid": "EMR2",
"Effect": "Allow",
"Action": "elasticmapreduce:RunJobFlow",
"Resource": "*"
},
{
"Sid": "EMR3",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::AWSAccnumber:role/EMR_DefaultRole",
"arn:aws:iam::AWSAccnumber:role/EMR_EC2_DefaultRole",
"arn:aws:iam::AWSAccnumber:role/EMR_AutoScaling_DefaultRole"
]
}
]
}
EOF
9. aws iam create-policy \
--policy-name datagaps-emr-eks-policy \
--policy-document file:/datagaps-emr-eks-policy.json
10. aws iam attach-role-policy \
--policy-arn arn:aws:I am::<accountnumber>:policy/datagaps-emr-eks-policy \
--role-name datagaps-eks-emr-role
11.kubectl create ns datagaps
12.kubectl create sa datagaps -n datagaps
13.kubectl annotate serviceaccount datagaps --n datagaps eks.amazonaws.com/role-arn: arn:aws:iam::<accountnumber>:role/datagaps-eks-emr-role
After completing the above steps we need to add service account (datagaps) need to added in DataOpsServer deployment file.