From 243c99166e4cd5a8831805717cc3d951b05ec3a8 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Tue, 13 Jun 2023 22:52:37 +0900 Subject: [PATCH 1/2] [doc] Update s3api command to create OIDC bucket Recently AWS disabled ACLs by default, so we need to update s3 commands to create public buckets --- docs/getting_started/aws.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/getting_started/aws.md b/docs/getting_started/aws.md index e6c6a84ab0..7c4466c168 100644 --- a/docs/getting_started/aws.md +++ b/docs/getting_started/aws.md @@ -263,6 +263,12 @@ The ACL must be public so that the AWS STS service can access them. aws s3api create-bucket \ --bucket prefix-example-com-oidc-store \ --region us-east-1 \ + --object-ownership BucketOwnerPreferred +aws s3api put-public-access-block \ + --bucket prefix-example-com-oidc-store \ + --public-access-block-configuration BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false +aws s3api put-bucket-acl \ + --bucket prefix-example-com-oidc-store \ --acl public-read ``` From 01c3c77ae88c92317f6d5f7b980cb96658675bc8 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Wed, 14 Jun 2023 18:38:40 +0900 Subject: [PATCH 2/2] [doc] Rename state store section in aws --- docs/getting_started/aws.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/getting_started/aws.md b/docs/getting_started/aws.md index 7c4466c168..3c891b24ac 100644 --- a/docs/getting_started/aws.md +++ b/docs/getting_started/aws.md @@ -228,7 +228,7 @@ with the cluster's DNS. **Please DO NOT MOVE ON until you have validated your NS records! This is not required if a gossip-based cluster is created.** -## Cluster State storage +## Cluster State store In order to store the state of your cluster, and the representation of your cluster, we need to create a dedicated S3 bucket for `kops` to use. This @@ -254,6 +254,7 @@ to revert or recover a previous state store. aws s3api put-bucket-versioning --bucket prefix-example-com-state-store --versioning-configuration Status=Enabled ``` +## Cluster OIDC store In order for ServiceAccounts to use external permissions (aka IAM Roles for ServiceAccounts), you also need a bucket for hosting the OIDC documents. While you can reuse the bucket above if you grant it a public ACL, we do recommend a separate bucket for these files.