Prerequisites

  1. Linux terminal is required to run the below commands.
  2. Existing EKS cluster
  3. aws cli required.
  4. eksctl required.



Run the below commands in Linux terminal from where you have IAM and cluster privileges.


1. cluster_name=<clustername>  #update clustername


2. oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)


3. echo $oidc_id  #you will get value similar to 1C95A273C0D216B6A2680D413835C8F7


4. eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve


5. aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4  #we should get oidc value


#update OIDC value,Region and Account ID in the below command then run it.

6. cat <<EOF > trust-policy.json

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "Federated": "arn:aws:iam::<Account ID>:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/1C95A273C0D216B6A2680D413835C8F7"

      },

      "Action": "sts:AssumeRoleWithWebIdentity",

      "Condition": {

        "StringEquals": {

          "oidc.eks.ap-south-1.amazonaws.com/id/1C95A273C0D216B6A2680D413835C8F7:sub": "system:serviceaccount:datagaps:datagaps"

        }

      }

    }

  ]

}

EOF


7. aws iam create-role \

  --role-name datagaps-eks-emr-role \

  --assume-role-policy-document file://"trust-policy.json"

#In the below command update Account Number and bucketname given for EMR cluster

8. cat <<EOF >datagaps-emr-eks-policy.json

{

"Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "cloudformation1",

            "Effect": "Allow",

            "Action": [

                "cloudformation:DeleteStackInstances",

                "cloudformation:DescribeStackInstance",

                "cloudformation:ListStackInstances",

                "cloudformation:DescribeStackResources",

                "cloudformation:DescribeStackResource",

                "cloudformation:CreateStackInstances",

                "cloudformation:GetTemplateSummary",

                "cloudformation:DescribeStacks",

                "cloudformation:GetStackPolicy",

                "cloudformation:DescribeStackEvents",

                "cloudformation:CreateStack",

                "cloudformation:GetTemplate",

                "cloudformation:DeleteStack",

                "cloudformation:TagResource",

                "cloudformation:UntagResource"

            ],

            "Resource": "arn:aws:cloudformation:*:<AccountNumber>:stack/*/*"

        },

        {

            "Sid": "cloudformation2",

            "Effect": "Allow",

            "Action": [

                "cloudformation:CreateUploadBucket",

                "cloudformation:ListStacks",

                "cloudformation:DescribeType",

                "cloudformation:ListTypes",

                "cloudformation:DescribeAccountLimits",

                "cloudformation:ListTypeVersions"

            ],

            "Resource": "*"

        },

       {

            "Sid": "S3",

            "Effect": "Allow",

            "Action": [

                "s3:PutObject",

                "s3:GetObject",

                "s3:GetEncryptionConfiguration",

                "s3:GetObjectTagging",

                "s3:ListBucket",

                "s3:GetBucketLocation"

            ],

            "Resource": [

                "arn:aws:s3:::<bucketname>/*",

                "arn:aws:s3:::<bucketname>"

            ]

        },

        {

            "Sid": "EMR1",

            "Effect": "Allow",

            "Action": [

                "elasticmapreduce:GetManagedScalingPolicy",

                "elasticmapreduce:PutManagedScalingPolicy",

                "elasticmapreduce:ListBootstrapActions",

                "elasticmapreduce:PutAutoScalingPolicy",

                "elasticmapreduce:ModifyCluster",

                "elasticmapreduce:DescribeCluster",

                "elasticmapreduce:SetTerminationProtection",

                "elasticmapreduce:ModifyInstanceFleet",

                "elasticmapreduce:ListInstances",

                "elasticmapreduce:ModifyInstanceGroups",

                "elasticmapreduce:RemoveTags",

                "elasticmapreduce:AddTags",

                "elasticmapreduce:TerminateJobFlows"

            ],

            "Resource": "arn:aws:elasticmapreduce:*:<AccountNumber>:cluster/*"

        },

        {

            "Sid": "EMR2",

            "Effect": "Allow",

            "Action": "elasticmapreduce:RunJobFlow",

            "Resource": "*"

        },

        {

            "Sid": "EMR3",

            "Effect": "Allow",

            "Action": "iam:PassRole",

            "Resource": [

                "arn:aws:iam::AWSAccnumber:role/EMR_DefaultRole",

                "arn:aws:iam::AWSAccnumber:role/EMR_EC2_DefaultRole",

                "arn:aws:iam::AWSAccnumber:role/EMR_AutoScaling_DefaultRole"

            ]

        }



    ]

}

EOF


9. aws iam create-policy \

    --policy-name datagaps-emr-eks-policy \

    --policy-document file:/datagaps-emr-eks-policy.json


10. aws iam attach-role-policy \

--policy-arn arn:aws:I am::<accountnumber>:policy/datagaps-emr-eks-policy  \

--role-name datagaps-eks-emr-role 


11.kubectl create ns datagaps


12.kubectl create sa datagaps -n datagaps


13.kubectl annotate serviceaccount datagaps --n datagaps eks.amazonaws.com/role-arn: arn:aws:iam::<accountnumber>:role/datagaps-eks-emr-role 


After completing the above steps we need to add service account (datagaps) need to added in DataOpsServer deployment file.