AWS Cloud Provider
Nirmata requires read-only access to EC2 service when using ASGs or Spot Fleet Requests and full access to EC2 service when using a Launch Configuration to provision Virtual Machines.
Securely enable AWS and Nirmata access by configuring an IAM role for Nirmata, then providing the Amazon Resource Name (ARN) for the role to Nirmata.
Configure IAM Role for Nirmata in AWS
To securely provide access, configure an IAM role for Nirmata in AWS.
First, launch the Add Cloud Provider Wizard by selecting Cloud Providers from the sidebar menu and clicking on the +Add Cloud Provider button.
Enter a Name and select Amazon Web Services as the Type.
Then select the Settings tab and note the Account ID and External ID.
Next, login to AWS and select Identity & Access Management.
Select Roles from the sidebar menu.
Then click the Create New Role button.
Select the Role Type Another AWS Account and enter the Nirmata Account ID noted on the Settings tab in Nirmata.
Click Next and enter IAMReadOnlyAccess in the Seach bar. Enable access. Then search AmazonEC2ReadOnlyAccess in the Search bar. Enable access. Finally, search AmazonEC2FullAccess and enable access.
This allows Nirmata to provision EC2 instances.
For more granular access control, create a custom policy using the Custom Automation Policy Template. This policy limits Start/Stop/TerminateInstance to the instances created by Nirmata with appropriate tag.
Custom Automation Policy Template:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags",
"ec2:Describe*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:<region>:<account>:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/com.nirmata.createdBy": "nirmata"
}
}
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:ListInstanceProfiles",
"iam:GetPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:PassRole"
],
"Resource": "*"
}
]
}
Note: Be sure to replace the <region>
and <account>
placeholders, with the allowed region or “*
” to allow all regions,
and your AWS account ID.
Next, enter a Role Name (e.g. ‘nirmata-aws-role-1’) and Role Description. Then click Create Role.
After creating the AWS IAM role, navigate to the Roles page and copy the Role ARN for the newly created Nirmata Access Role.
Return to the Nirmata Add Cloud Provider Wizard and past the Role ARN into the Role ARN field. Click Next and Nirmata will validate the settings.
Note: When deploying a Kubernetes cluster on AWS Host Groups, an IAM policy for the hosts in the cluster must be created. This IAM policy allows the AWS cloud controller to access AWS resources.
An example of the IAM policies can be found here:
Master Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_master_strict.json
Compute Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_node_strict.json
For networking, Nirmata uses Amazon VPC CNI plugin (https://github.com/aws/amazon-vpc-cni-k8s). This plugin requires the following IAM policy:
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstances",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssignPrivateIpAddresses"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "tag:TagResources",
"Resource": "*"
}
Creating AWS Cloud Provider Video
Next Steps: Setup a aws-host-group
Host Group.