|
| 1 | +#!/bin/bash |
| 2 | +set -x |
| 3 | + |
| 4 | +# This script aim is to assist users that deploy noobaa on AWS STS cluster. |
| 5 | +# You should deploy OCP cluster with AWS STS configurations. |
| 6 | +# In the script we would create the role-policy and then create the role in AWS. |
| 7 | +# For more information see: https://docs.openshift.com/rosa/authentication/assuming-an-aws-iam-role-for-a-service-account.html |
| 8 | + |
| 9 | +# WARNING: You cannot just run this script! you will need to replace part of the variables below |
| 10 | + |
| 11 | +# ------------------------------------------------------------------------------------------------------------------ |
| 12 | +# Variables: |
| 13 | +# user variables - please REPLACE these values: |
| 14 | +ROLE_NAME="shira-28-11" # role name that you pick in your AWS account (replace shira-28-11 with your value) |
| 15 | +NAMESPACE="test1" # namespace name where noobaa will be running (replace test1 with your value) |
| 16 | + |
| 17 | +# noobaa variables |
| 18 | +SERVICE_ACCOUNT_NAME_1="noobaa" # The service account name of statefulset core and deployment operator |
| 19 | +SERVICE_ACCOUNT_NAME_2="noobaa-endpoint" # The service account name of deployment endpoint |
| 20 | + |
| 21 | +# AWS variables |
| 22 | +# Please make sure these values are not empty (AWS_ACCOUNT_ID, OIDC_PROVIDER) |
| 23 | +# AWS_ACCOUNT_ID is your AWS account number |
| 24 | +AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) |
| 25 | +# If you wish to create the role BEFORE using the cluster, please REPLACE this filed as well |
| 26 | +# The OIDC provider is in the structure: |
| 27 | +# 1) <OIDC-bucket>.s3.<aws-region>.amazonaws.com. for OIDC bucket configurations are in an S3 public bucket |
| 28 | +# 2) `<characters>.cloudfront.net` for OIDC bucket configurations in an S3 private bucket with a public CloudFront distribution URL |
| 29 | +OIDC_PROVIDER=$(oc get authentication cluster -ojson | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///") |
| 30 | +# the permission (S3 full access) |
| 31 | +POLICY_ARN_STRINGS="arn:aws:iam::aws:policy/AmazonS3FullAccess" |
| 32 | + |
| 33 | +# ------------------------------------------------------------------------------------------------------------------ |
| 34 | +# Creating the role (with AWS CLI) |
| 35 | + |
| 36 | +read -r -d '' TRUST_RELATIONSHIP <<EOF |
| 37 | +{ |
| 38 | + "Version": "2012-10-17", |
| 39 | + "Statement": [ |
| 40 | + { |
| 41 | + "Effect": "Allow", |
| 42 | + "Principal": { |
| 43 | + "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" |
| 44 | + }, |
| 45 | + "Action": "sts:AssumeRoleWithWebIdentity", |
| 46 | + "Condition": { |
| 47 | + "StringEquals": { |
| 48 | + "${OIDC_PROVIDER}:sub": [ |
| 49 | + "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_1}", |
| 50 | + "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_2}" |
| 51 | + ] |
| 52 | + } |
| 53 | + } |
| 54 | + } |
| 55 | + ] |
| 56 | +} |
| 57 | +EOF |
| 58 | + |
| 59 | + |
| 60 | +echo "${TRUST_RELATIONSHIP}" > trust.json |
| 61 | + |
| 62 | + |
| 63 | +aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://trust.json --description "role for demo" |
| 64 | + |
| 65 | + |
| 66 | +while IFS= read -r POLICY_ARN; do |
| 67 | + echo -n "Attaching $POLICY_ARN ... " |
| 68 | + aws iam attach-role-policy \ |
| 69 | + --role-name "$ROLE_NAME" \ |
| 70 | + --policy-arn "${POLICY_ARN}" |
| 71 | + echo "ok." |
| 72 | +done <<< "$POLICY_ARN_STRINGS" |
0 commit comments