From 4508e63a5416a3c78a043745751ab63480b7aa21 Mon Sep 17 00:00:00 2001 From: Fernando Rocha Date: Mon, 20 Jan 2025 20:23:55 -0800 Subject: [PATCH] Including EKS Pod Identity Changes and fixing typo in EKS sample Signed-off-by: Fernando Rocha --- .../integrations/AWS/authenticating-aws.md | 126 +----------------- .../hosting/kubernetes/cluster/setup-eks.md | 2 +- 2 files changed, 4 insertions(+), 124 deletions(-) diff --git a/daprdocs/content/en/developing-applications/integrations/AWS/authenticating-aws.md b/daprdocs/content/en/developing-applications/integrations/AWS/authenticating-aws.md index 9984805ac..a0ca55d42 100644 --- a/daprdocs/content/en/developing-applications/integrations/AWS/authenticating-aws.md +++ b/daprdocs/content/en/developing-applications/integrations/AWS/authenticating-aws.md @@ -38,131 +38,11 @@ All of these solutions solve the same problem: They allow the Dapr runtime proce Both Kiam and Kube2IAM work by intercepting calls to the [instance metadata service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html). -## Setting Up Dapr with AWS EKS Pod Identity +### Setting Up Dapr with AWS EKS Pod Identity -This section provides a detailed walkthrough for setting up Dapr with AWS EKS Pod Identity for accessing AWS services. +EKS Pod Identities provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account. -### Prerequisites - -- AWS CLI configured with appropriate permissions -- kubectl installed -- eksctl installed -- Docker installed and configured -- A Docker Hub account or another container registry - -### Create EKS Cluster and install Dapr - -Follow the official Dapr documentation for setting up an EKS cluster and installing Dapr: -[Set up an Elastic Kubernetes Service (EKS) cluster](https://docs.dapr.io/operations/hosting/kubernetes/cluster/setup-eks/) - -### Create IAM Role and Enable Pod Identity - -1. Create IAM policy for AWS service access (example shown for a generic AWS service): - -```bash -aws iam create-policy \ - --policy-name dapr-service-policy \ - --policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "SERVICE_NAME:ACTION1", - "SERVICE_NAME:ACTION2" - ], - "Resource": "arn:aws:SERVICE_NAME:YOUR_AWS_REGION:YOUR_ACCOUNT_ID:resource/*" - } - ] - }' -``` - -2. Create IAM role with Pod Identity trust relationship: - -```bash -aws iam create-role \ - --role-name dapr-pod-identity-role \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "pods.eks.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession" - ] - } - ] - }' -``` - -3. Attach the policy to the role: - -```bash -aws iam attach-role-policy \ - --role-name dapr-pod-identity-role \ - --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/dapr-service-policy -``` - -### Create Test Resources - -1. Create namespace: - -```bash -kubectl create namespace dapr-test -``` - -2. Create service account: - -```bash -kubectl apply -f k8s-config/service-account.yaml -``` - -3. Create Pod Identity association: - -```bash -eksctl create podidentityassociation \ - --cluster [your-cluster-name] \ - --namespace dapr-test \ - --region [your-aws-region] \ - --service-account-name dapr-test-sa \ - --role-arn arn:aws:iam::YOUR_ACCOUNT_ID:role/dapr-pod-identity-role -``` - -4. Create Dapr component for your AWS service: - -```bash -kubectl apply -f components/aws-component.yaml -``` - -### Troubleshooting - -#### Authentication Issues - -If you see "You must be logged in to the server (Unauthorized)", update your kubeconfig: - -```bash -aws eks update-kubeconfig --region [your-aws-region] --name [your-cluster-name] -``` - -#### Pod Identity Issues - -Verify Pod Identity association: - -```bash -eksctl get podidentityassociation --cluster [your-cluster-name] --region [your-aws-region] -``` - -#### Dapr Component Issues - -Check Dapr sidecar logs: - -```bash -kubectl logs -n dapr-test -l app=test-app -c daprd -``` +To see a comprehensive example on how to authorize pod access to AWS Secrets Manager from EKS using AWS EKS Pod Identity, [follow the sample in this repository](https://github.com/dapr/samples/tree/master/dapr-eks-podidentity). ### Use an instance profile when running in stand-alone mode on AWS EC2 diff --git a/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md b/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md index 6a87484cc..b7e8a0f81 100644 --- a/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md +++ b/daprdocs/content/en/operations/hosting/kubernetes/cluster/setup-eks.md @@ -66,7 +66,7 @@ This guide walks you through installing an Elastic Kubernetes Service (EKS) clus 1. Create the cluster by running the following command: ```bash - eksctl create cluster -f cluster.yaml + eksctl create cluster -f cluster-config.yaml ``` 1. Verify the kubectl context: