[AWS components] Add note for AWS K8s components (#2459)

* add aws note Signed-off-by: Hannah Hunter <hannahhunter@microsoft.com> * small fix Signed-off-by: Hannah Hunter <hannahhunter@microsoft.com> Co-authored-by: Mark Fussell <markfussell@gmail.com>
2022-05-26 18:40:17 -05:00 · 2022-05-26 18:40:17 -05:00 · ef2e724268
parent 1eaa79591e
commit ef2e724268
13 changed files with 73 additions and 14 deletions
--- a/daprdocs/content/en/developing-applications/integrations/AWS/authenticating-aws.md
+++ b/daprdocs/content/en/developing-applications/integrations/AWS/authenticating-aws.md
@ -8,19 +8,24 @@ aliases:
  - /developing-applications/integrations/authenticating/authenticating-aws/
 ---

-All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration, these are described below.
+All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration. See [how the AWS SDK (which Dapr uses) handles credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials).

-[This article](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) provides a good overview of how the AWS SDK (which Dapr uses) handles credentials
+None of the following attributes are required, since you can configure the AWS SDK using the default provider chain, described in the link above. Test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.

-None of the following attributes are required, since the AWS SDK may be configured using the default provider chain described in the link above. It's important to test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.
+| Attribute | Description |
+| --------- | ----------- |
+| `region` | Which AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example) this flag can be provided by the environment variable `AWS_REGION`. Since Dapr sidecar injection doesn't allow configuring environment variables on the Dapr sidecar, it is recommended to always set the `region` attribute in the component spec. |
+| `endpoint` | The endpoint is normally handled internally by the AWS SDK. However, in some situations it might make sense to set it locally - for example if developing against [DynamoDB Local](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.html). |
+| `accessKey` | AWS Access key id. |
+| `secretKey` | AWS Secret access key. Use together with `accessKey` to explicitly specify credentials. |
+| `sessionToken` | AWS Session token. Used together with `accessKey` and `secretKey`. When using a regular IAM user's access key and secret, a session token is normally not required. |

- `region`: Which AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example) this flag can be provided by the environment variable `AWS_REGION`. Since Dapr sidecar injection doesn't allow configuring environment variables on the Dapr sidecar, it is recommended to always set the `region` attribute in the component spec.
- `endpoint`: The endpoint is normally handled internally by the AWS SDK. However, in some situations it might make sense to set it locally - for example if developing against [DynamoDB Local](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.html).
- `accessKey`: AWS Access key id.
- `secretKey`: AWS Secret access key. Use together with `accessKey` to explicitly specify credentials.
- `sessionToken`: AWS Session token. Used together with `accessKey` and `secretKey`. When using a regular IAM user's access key and secret, a session token is normally not required.
+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}

 ## Alternatives to explicitly specifying credentials in component manifest files
+
 In production scenarios, it is recommended to use a solution such as [Kiam](https://github.com/uswitch/kiam) or [Kube2iam](https://github.com/jtblin/kube2iam). If running on AWS EKS, you can [link an IAM role to a Kubernetes service account](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), which your pod can use.

 All of these solutions solve the same problem: They allow the Dapr runtime process (or sidecar) to retrive credentials dynamically, so that explicit credentials aren't needed. This provides several benefits, such as automated key rotation, and avoiding having to manage secrets.
@ -28,37 +33,49 @@ All of these solutions solve the same problem: They allow the Dapr runtime proce
 Both Kiam and Kube2IAM work by intercepting calls to the [instance metadata service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).

 ## Using instance role/profile when running in stand-alone mode on AWS EC2
+
 If running Dapr directly on an AWS EC2 instance in stand-alone mode, instance profiles can be used. Simply configure an iam role and [attach it to the instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) for the ec2 instance, and Dapr should be able to authenticate to AWS without specifying credentials in the Dapr component manifest.

 ## Authenticating to AWS when running dapr locally in stand-alone mode
+
 When running Dapr (or the Dapr runtime directly) in stand-alone mode, you have the option of injecting environment variables into the process like this (on Linux/MacOS:
+
 ```bash
 FOO=bar daprd --app-id myapp
 ```
+
 If you have [configured named AWS profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) locally , you can tell Dapr (or the Dapr runtime) which profile to use by specifying the "AWS_PROFILE" environment variable:

 ```bash
 AWS_PROFILE=myprofile dapr run...
 ```
+
 or
+
 ```bash
 AWS_PROFILE=myprofile daprd...
 ```
+
 You can use any of the [supported environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list) to configure Dapr in this manner.

 On Windows, the environment variable needs to be set before starting the `dapr` or `daprd` command, doing it inline as shown above is not supported.

 ## Authenticating to AWS if using AWS SSO based profiles
+
 If you authenticate to AWS using [AWS SSO](https://aws.amazon.com/single-sign-on/), some AWS SDKs (including the Go SDK) don't yet support this natively. There are several utilities you can use to "bridge the gap" between AWS SSO-based credentials, and "legacy" credentials, such as [AwsHelper](https://pypi.org/project/awshelper/) or [aws-sso-util](https://github.com/benkehoe/aws-sso-util).

 If using AwsHelper, start Dapr like this:
+
 ```bash
 AWS_PROFILE=myprofile awshelper dapr run...
 ```
+
 or
+
 ```bash
 AWS_PROFILE=myprofile awshelper daprd...
 ```

 On Windows, the environment variable needs to be set before starting the `awshelper` command, doing it inline as shown above is not supported.

+For more information, see [how the AWS SDK (which Dapr uses) handles credentials](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials).
--- a/daprdocs/content/en/operations/components/setup-secret-store.md
+++ b/daprdocs/content/en/operations/components/setup-secret-store.md
@ -55,6 +55,10 @@ spec:
    value: "[aws_session_token]"
 ```

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ## Apply the configuration

 Once you have created the component's YAML file, follow these instructions to apply it based on your hosting environment:
--- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-hybrid-clusters.md
+++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-hybrid-clusters.md
@ -3,10 +3,10 @@ type: docs
 title: "Deploy to hybrid Linux/Windows Kubernetes clusters"
 linkTitle: "Hybrid clusters"
 weight: 60000
-description: "How to run Dapr apps on Kubernetes clusters with windows nodes"
+description: "How to run Dapr apps on Kubernetes clusters with Windows nodes"
 ---

-Dapr supports running on kubernetes clusters with windows nodes. You can run your Dapr microservices exclusively on Windows, exclusively on Linux, or a combination of both. This is helpful to users who may be doing a piecemeal migration of a legacy application into a Dapr Kubernetes cluster.
+Dapr supports running on Kubernetes clusters with Windows nodes. You can run your Dapr microservices exclusively on Windows, exclusively on Linux, or a combination of both. This is helpful to users who may be doing a piecemeal migration of a legacy application into a Dapr Kubernetes cluster.

 Kubernetes uses a concept called node affinity so that you can denote whether you want your application to be launched on a Linux node or a Windows node. When deploying to a cluster which has both Windows and Linux nodes, you must provide affinity rules for your applications, otherwise the Kubernetes scheduler might launch your application on the wrong type of node.

@ -38,7 +38,7 @@ If you are installing using the Dapr CLI or via a helm chart, simply follow the

 Affinity will be automatically set for `kubernetes.io/os=linux`. This will be sufficient for most users, as Kubernetes requires at least one Linux node pool.

-> **Note:** Dapr control plane containers are built and tested for both windows and linux, however, we generally recommend using the linux control plane containers. They tend to be smaller and have a much larger user base.
+> **Note:** Dapr control plane containers are built and tested for both Windows and Linux, however, we generally recommend using the Linux control plane containers. They tend to be smaller and have a much larger user base.

 If you understand the above, but want to deploy the Dapr control plane to Windows, you can do so by setting:

@ -101,7 +101,8 @@ In order to launch a Dapr application on Windows, you'll first need to create a
   ```

 ### Linux applications
-If you have already got a dapr application with runs on Linux, you'll still need to add affinity rules as above, but choose linux affinity instead.
+
+If you already have a Dapr application that runs on Linux, you'll still need to add affinity rules as above, but choose Linux affinity instead.

 1. Create a deployment YAML

--- a/daprdocs/content/en/reference/components-reference/supported-bindings/dynamodb.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/dynamodb.md
@ -50,6 +50,10 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | secretKey          | Y        | Output | The AWS Secret Access Key to access this resource                       | `"secretAccessKey"` |
 | sessionToken       | N        | Output | The AWS session token to use                                            | `"sessionToken"`    |

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+

 ## Binding support

--- a/daprdocs/content/en/reference/components-reference/supported-bindings/kinesis.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/kinesis.md
@ -55,6 +55,10 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | secretKey          | Y        | Output | The AWS Secret Access Key to access this resource                       | `"secretAccessKey"` |
 | sessionToken       | N        | Output | The AWS session token to use                                            | `"sessionToken"`    |

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ## Binding support

 This component supports both **input and output** binding interfaces.
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/s3.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/s3.md
@ -67,6 +67,10 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | disableSSL     | N        | Output | Allows to connect to non `https://` endpoints. Defaults to `false` | `true`, `false` |
 | insecureSSL     | N        | Output | When connecting to `https://` endpoints, accepts invalid or self-signed certificates. Defaults to `false` | `true`, `false` |

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ### Using with Minio

 [Minio](https://min.io/) is a service that exposes local storage as S3-compatible block storage, and it's a popular alternative to S3 especially in development environments. You can use the S3 binding with Minio too, with some configuration tweaks:
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/ses.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/ses.md
@ -61,7 +61,9 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | emailBcc | N | Output | If set, this specifies email address to BCC in. See [also](#example-request) | `"me@example.com"` |
 | subject | N | Output | If set, this specifies the subject of the email message. See [also](#example-request) | `"subject of mail"` |

-
+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}

 ## Binding support

--- a/daprdocs/content/en/reference/components-reference/supported-bindings/sns.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/sns.md
@ -50,6 +50,10 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | secretKey          | Y        | Output | The AWS Secret Access Key to access this resource                       | `"secretAccessKey"` |
 | sessionToken       | N        | Output | The AWS session token to use                                            | `"sessionToken"`    |

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ## Binding support

 This component supports **output binding** with the following operations:
--- a/daprdocs/content/en/reference/components-reference/supported-bindings/sqs.md
+++ b/daprdocs/content/en/reference/components-reference/supported-bindings/sqs.md
@ -50,6 +50,9 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | secretKey          | Y        | Input/Output | The AWS Secret Access Key to access this resource                       | `"secretAccessKey"` |
 | sessionToken       | N        | Input/Output | The AWS session token to use                                            | `"sessionToken"`    |

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}

 ## Binding support

--- a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-aws-snssqs.md
+++ b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-aws-snssqs.md
@ -87,7 +87,9 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 * Using SQS FIFO (`fifo` metadata field set to `"true"`), per AWS specifications, provides message ordering and deduplication, but incurs a lower SQS processing throughput, among other caveats
 * Be aware that specifying `fifoMessageGroupID` limits the number of concurrent consumers of the FIFO queue used to only one but guarantees global ordering of messages published by the app's Dapr sidecars. See [this](https://aws.amazon.com/blogs/compute/solving-complex-ordering-challenges-with-amazon-sqs-fifo-queues/) post to better understand the topic of Message Group IDs and FIFO queues.

-
+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}

 ## Create an SNS/SQS instance

--- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-parameter-store.md
+++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-parameter-store.md
@ -44,6 +44,11 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 | accessKey          | Y        | The AWS Access Key to access this resource                              | `"key"`             |
 | secretKey          | Y        | The AWS Secret Access Key to access this resource                       | `"secretAccessKey"` |
 | sessionToken       | N        | The AWS session token to use                                            | `"sessionToken"`    |
+
+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ## Create an AWS SSM Parameter Store instance

 Setup AWS SSM Parameter Store using the AWS documentation: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html.
--- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md
+++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md
@ -44,6 +44,11 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 | accessKey          | Y        | The AWS Access Key to access this resource                              | `"key"`             |
 | secretKey          | Y        | The AWS Secret Access Key to access this resource                       | `"secretAccessKey"` |
 | sessionToken       | N        | The AWS session token to use                                            | `"sessionToken"`    |
+
+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ## Create an AWS Secrets Manager instance

 Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html.
--- a/daprdocs/content/en/reference/components-reference/supported-state-stores/setup-dynamodb.md
+++ b/daprdocs/content/en/reference/components-reference/supported-state-stores/setup-dynamodb.md
@ -57,6 +57,10 @@ In order to use DynamoDB as a Dapr state store, the table must have a primary ke
 | sessionToken      | N  |AWS session token to use.  A session token is only required if you are using temporary security credentials. | `"TOKEN"`
 | ttlAttributeName  | N  |The table attribute name which should be used for TTL. | `"expiresAt"`

+{{% alert title="Important" color="warning" %}}
+When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
+{{% /alert %}}
+
 ## Setup AWS DynamoDB

 See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes