kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5622 from kubernetes/gh_4989 

Docs for policy to do cross account state store in s3
This commit is contained in:
k8s-ci-robot 2018-08-14 19:00:42 -07:00 committed by GitHub
parent fb0ab1b6af c3aa77b97e
commit ba728ef1ab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/state.md
View File

@ -56,3 +56,31 @@ There are a few ways to configure your state store. In priority order:
```
kops_state_store: s3://yourstatestore
```
## Cross Account State-store (AWS)
There are situations in which the entity executing kops to create the cluster is not in the same account as the owner of the state store bucket. In this case, you must explicitly grant the permission: `s3:getBucketLocation` to the ARN that is running kops.
You can use the following policy to guide your implementation:
```
{
"Id": "123",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Action": [
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::state-store-bucket",
"Principal": {
"AWS": [
"arn:aws:iam::123456789:user/kopsuser"
]
}
}
]
}
```