Bug 1462823 - [DOCS] AWS configuration does not describe how to use IAM Roles
[DOCS] AWS configuration does not describe how to use IAM Roles
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
3.4.0
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Gaurav Nelson
Jianwei Hou
Vikram Goyal
: Reopened
Depends On:
Blocks: 1467508
  Show dependency treegraph
 
Reported: 2017-06-19 11:53 EDT by Steven Walter
Modified: 2018-03-06 20:08 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1467508 (view as bug list)
Environment:
Last Closed: 2018-03-06 20:08:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steven Walter 2017-06-19 11:53:08 EDT
Document URL: 

https://docs.openshift.com/container-platform/3.5/install_config/configuring_aws.html

Section Number and Name: 
Configuring OpenShift Container Platform for AWS with Ansible
Manually Configuring OpenShift Container Platform Masters for AWS

Describe the issue: 

In the docs it says: "Note: IAM profiles may be used instead of storing API credentials on disk." however there is no description as to what process to take.

Suggestions for improvement: 

If you dont want to set the variables below, how do you use IAM role to authenticate your hosts with AWS?

AWS_ACCESS_KEY_ID=<key_ID>
AWS_SECRET_ACCESS_KEY=<secret_key>

If it is not possible to use IAM roles we need to change the sentence beginning with "Note:"
Comment 2 Ryan Cook 2017-06-20 11:14:00 EDT
So IAM roles must exist before launching the instances. The cloudformation configuration for creating the IAM role is:

    "NodePolicy": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": { "Service": [ "ec2.amazonaws.com" ] },
              "Action": [ "sts:AssumeRole" ]
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "node-describe",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                     "ec2:Describe*",
                     "ec2:AttachVolume",
                     "ec2:DetachVolume"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "MasterPolicy": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": { "Service": [ "ec2.amazonaws.com" ] },
              "Action": [ "sts:AssumeRole" ]
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "master-ec2-all",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                     "ec2:*",
                     "elasticloadbalancing:*"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "MasterInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "DependsOn": "MasterPolicy",
      "Properties": {
        "Roles": [ { "Ref": "MasterPolicy" } ]
      }
    },
    "NodeInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "DependsOn": "NodePolicy",
      "Properties": {
        "Roles": [ { "Ref": "NodePolicy" } ]
      }
    },
Comment 3 Steven Walter 2017-06-20 11:23:21 EDT
Is there anything you need to do on the openshift side? What do you put into aws.conf?
Comment 4 Ryan Cook 2017-06-20 11:25:41 EDT
On the openshift side all you need to provide is 

openshift_cloudprovider_kind: aws

the installation will place an empty file in the location of the aws.conf and pass successfully
Comment 7 Gaurav Nelson 2017-06-22 19:31:10 EDT
Updated the example in the docs to include this information. See https://github.com/openshift/openshift-docs/pull/4645
Comment 8 openshift-github-bot 2017-06-26 19:18:03 EDT
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/32eaf45f2126dcaadffd9a3c9e613c9ec1b72463
Merge pull request #4645 from gaurav-nelson/Bug1462823Fixes

Bug#1462823 - Fixes
Comment 9 Steven Walter 2017-06-27 16:24:12 EDT
1. Is there a configuration option to override the expected name of the roles to assume? For example, is there a way in Openshift to not expect the default role names, but use an attribute named "RoleName" in the cloudformation configuration to specify the generated role name?  Something like:

ADFSAgencyNetworkAdministratorsRole: 
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Federated: !Sub
              - "arn:aws:iam::${accountId}:saml-provider/ADFS"
              - accountId: !Ref "AWS::AccountId"                 
            Action:
              - "sts:AssumeRoleWithSAML"
            Condition:
              StringEquals:
                SAML:aud:
                  - "https://signin.aws.amazon.com/saml" 
      RoleName: "ADFS-AgencyNetworkAdministratorsRole"
      ManagedPolicyArns: 
        - "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess"
        - "arn:aws:iam::aws:policy/AWSDirectConnectFullAccess"
        - "arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess"

2. Can we be more precise in granting privileges. The ec2:* in the example you give may be a problem. If I need to set aws as the cloud provider but all I need is to dynamically assign Elastic Block Storage for persistent volumes, can I change ec2:* to a smaller list of permissions?
Comment 10 Gaurav Nelson 2017-07-04 01:51:22 EDT
Updates are now live at https://docs.openshift.com/container-platform/3.5/install_config/configuring_aws.html
Comment 11 Gaurav Nelson 2017-07-04 01:55:22 EDT
Cloned this bug.

To address the last comment please see https://bugzilla.redhat.com/show_bug.cgi?id=1467508.
Comment 12 Eric Rich 2018-02-21 16:29:45 EST
Based on https://bugzilla.redhat.com/show_bug.cgi?id=1452816#c21 this looks like this should not have been closed / completed.
Comment 13 Gaurav Nelson 2018-02-25 19:03:46 EST
@Eric, 

Bug was about:
> In the docs it says: "Note: IAM profiles may be used instead of storing API 
> credentials on disk." however there is no description as to what process to
> take.

This was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c5 and https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c6 and that is why the bug was closed.

Then there was a follow up question https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c9 
which was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1467508
Comment 14 Gaurav Nelson 2018-03-06 20:08:26 EST
The updates in https://docs.openshift.com/container-platform/3.7/install_config/configuring_aws.html addresses all issues.

Note You need to log in before you can comment on or make changes to this bug.