Hide Forgot
Document URL: https://docs.openshift.com/enterprise/3.1/install_config/configuring_aws.html#exporting-key-value-access-pairs Section Number and Name: exporting-key-value-access-pairs Describe the issue: Exported env variables in the user environment will not be picked up by daemons running under systemd. Suggestions for improvement: Users will need to either provide the values in the relevant configuration file, or provision the instances with an IAM Instance Profile granting the correct permissions needed. For configuring masters: - /etc/sysconfig/atomic-openshift-master for single master or pacemaker based HA - /etc/sysconfig/atomic-openshift-master-api and /etc/sysconfig/atomic-openshift-master-controllers for native HA For configuring nodes: /etc/sysconfig/atomic-openshift-node We also need to document the proper IAM permissions (both for using an Instance Profile or providing credentials). I use the following cloudformation resource snippet for testing (based off of the ones used by the upstream kubernetes installer): "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "demo-node-1", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" } ] } }, { "PolicyName": "demo-node-2", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:AttachVolume", "Resource": "*" } ] } }, { "PolicyName": "demo-node-3", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DetachVolume", "Resource": "*" } ] } } ] } }, "MasterPolicy": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "demo-master-1", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] } }, { "PolicyName": "demo-master-2", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" } ] } } ] } }, "MasterInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "MasterPolicy" } ] } }, "NodeInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "NodePolicy" } ] } }, The actual permissions needed should be validated by Engineering, since I'm not sure how much of the native cloud provider functionality we expose, especially on the master side.
We also need to mention that the nodeName value of the node (set by openshift_hostname) must match the metadata provided private-dns-name value in order for the cloud integration to work.
*** This bug has been marked as a duplicate of bug 1452816 ***