Skip to content

Latest commit

 

History

History
75 lines (60 loc) · 2.8 KB

3.5-AWSFederatedAccountAccess.md

File metadata and controls

75 lines (60 loc) · 2.8 KB

3.5 AWSFederatedAccountAccess

3.5.1 AWSFederatedAccountAccess CR

The AWSFederatedAccountAccess CR creates an instance of an AWSFederatedRole in AWS and allows the target IAM account to assume its role.

apiVersion: aws.managed.openshift.io/v1alpha1
kind: AWSFederatedAccountAccess
metadata:
  name: example-account-access
  namespace: aws-account-operator
spec:
  awsCustomerCredentialSecret:
    name: {Name for secret with osdManagedAdmin credentials}
    namespace: {Namespace for the secret with osdManagedAdmin credentials}
  externalCustomerAWSIAMARN: arn:aws:iam::${EXTERNAL_AWS_ACCOUNT_ID}:user/${EXTERNAL_AWS_IAM_USER}
  awsFederatedRole:
    name: {Name of desired AWSFederatedRole}
    namespace: aws-account-operator

3.5.2 AWSFederatedAccountAccess Controller

The AWSFederatedAccountAccess controller is triggered when an AccountClaim is created in any namespace. It is responsible for the following behaviors:

  1. Ensures the requested AWSFederatedRole exists.
  2. Converts the AWSFederatedRole spec into an AWS Policy Doc.
  3. Creates a unique AWS Role in the AWS containing the OSD cluster using the AWSFederatedRole definition.
  4. Creates a unique AWS Policy if the AWSFederatedRole has awsCustomPolicy defined and attaches it to the Role.
  5. Attaches any specified AWS Managed Policies to the Role.
  6. Keeps the AWS Policy in sync with the backing AWSFederatedRole.

Constants and Globals

None

Spec

spec:
  awsCustomerCredentialSecret:
    name: {Name for secret with osdManagedAdmin credentials}
    namespace: {Namespace for the secret with osdManagedAdmin credentials}
  externalCustomerAWSIAMARN: arn:aws:iam::${EXTERNAL_AWS_ACCOUNT_ID}:user/${EXTERNAL_AWS_IAM_USER}
  awsFederatedRole:
    name: {Name of desired AWSFederatedRole}
    namespace: aws-account-operator
  • awsCustomerCredentialSecret is the secret reference for the osdManagedAdmin IAM user in the AWS account where OSD is installed
  • externalCustomerAWSIAMARN is the AWS ARN for the desired IAM user that will use the AWS role when created. This should be in an AWS account external to the one where OSD is installed.
  • awsFederatedRole is the reference to the target AWSFederatedRole CR to create an instance of.

Status

status:
  conditions:
  - lastProbeTime: {Time Stamp}
    lastTransitionTime: {Time Stamp}
    message: Account Access Ready
    reason: Ready
    status: "True"
    type: Ready
  consoleURL: https://signin.aws.amazon.com/switchrole?account=701718415138&roleName=network-mgmt-5dhkmd
  state: Ready
  • conditions indicates the states the AWSFederatedAccountAccess had and supporting details
  • consoleURL is a generated URL that directly allows the targeted IAM user to access the AWS Role
  • state is the current state of the CR

Metrics

None