TOI: EKS cluster discovery using STS AssumeRoles (Without AWS CLI)Problems in using AWS CLI model AWS CLI command to generate a EKS cluster bearer token. Mid server AWS CLI is configured with EKS deployed Service account credentials.Let's assume, EKS clusters are deployed in 100 Service accounts. So, 100 mid servers(each mid server Aws CLI mapped to one SA credentials) are required to discover EKS clusters. This is not feasible in Large environments. Master-Member account flow / Accessor account flow In general, Member accounts do not have credentials to configure AWS CLIUsing AWS CLI, Not able to generate a token using "sts:AssumeRole" Generate a bearer token without using AWS CLI To use non AWS CLI model, Set system property "sn_itom_pattern.k8s_aws_cli_to_generate_token" to false true : Use AWS CLI to generate a tokenfalse : Use Assume Roles(Without using AWS CLI) flow to generate a token The service account is configured with credentials, Use configured credentials to generate a bearer tokenAssumeRole - Used cloud discovery flow to generate temporary credentials for Member accounts using Member accounts discovery Role ARN. Use generated temporary credentials to construct a token to access EKS cluster resources. Mid server Requirements: EKS Cluster endpoint is reachable from the mid server instanceThe mid server used for EKS cluster discovery should have permissions similar to AWS cloud discovery used for EKS cluster deployed Service account (Applicable only for AWS Credentials less discovery flow) EKS Cluster Authentication/ Authorization Authentication – IAM will authenticateAuthorization – depends on native Kubernetes Role Based Access Control(RBAC).Map IAM User/role to Kubernetes Cluster User/Group- Use Either one approach eksctl create iamidentitymappingEdit ConfigMap Manually (aws-auth ConfigMap) References: Map IAM User/Role - https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.htmlRBAC Authorization - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ Example for Configurations Cluster Role Creation in EKS cluster A cluster role(cluster-read-only-role) allows reading all config objects in the cluster. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-read-only-role rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get","watch","list"] - nonResourceURLs: - /metrics verbs: - get Cluster Role Binding With User in EKS Cluster A cluster role binding which ties the cluster role(cluster-read-only-role) to the user name(discovery-read-only-user). Use same User name while IAM mapping apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-read-only-role-binding subjects: - kind: User name: discovery-read-only-user apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-read-only-role apiGroup: rbac.authorization.k8s.io Enabling IAM User/Role Access to the Cluster eksctl create iamidentitymapping --cluster <ClusterName> --region=<region-code> --arn <ARN> --username <Username> --no-duplicate-arns Where ClusterName – EKS cluster nameUserName : previously created user name(discovery-read-only-user) in cluster role bindingARN – IAM User/ IAM ROLE used for AWS Cloud discovery Mapping IAM User/Role to Kubernetes Username/Groups Master-Member account flow- Master account Credentials are configured in Snow Instance. Below mentioned ARN mapped to Kubernetes Users/ Groups Master account Clusters - Configured credentials IAM User ARNMember accounts Clusters - Member account IAM role ARN used for cloud Discovery Accessor account flow - accessor account credentials configured in Snow Instance. Accessor account - Configured credentials IAM User ARNFor other accounts - IAM Role ARN used for Cloud Discovery Note: Coming examples used Master- member account flow only. Similar configurations are applicable for Accessor account or Credentials-less flow also Reference: How Cloud Discovery determines which credentials to use Master account Configurations Master account AWS Credentials are configured in the Snow instance. Note: Similar configurations are applicable for Credentials configured service accounts. ModuleParameterValueKubernetesClusterRolecluster-read-only-roleClusterRoleBindingdiscovery-read-only-userAWSMaster account IDXXXXXXXX1520Credentials IAM Userveeranjaneyulu.chintaeksctl create iamidentitymapping Full ARN - arn:aws:iam::XXXXXXXX1520:user/veeranjaneyulu.chinta UserName - discovery-read-only-user Snow InstanceService AccountXXXXXXXX1520CredentialsConfigured Example screenshots for Master Account Master Service account in Snow Instance 2. Master Account User in AWS Console Master Account Id – XXXXXXXX1520IAM User Full ARN - arn:aws:iam::XXXXXXXX1520:user/veeranjaneyulu.chinta 3. Map IAM user and Kubernetes UserName eksctl create iamidentitymapping --cluster <ClusterName> --region=<region-code> --arn arn:aws:iam::XXXXXXXX1520:user/veeranjaneyulu.chinta --username discovery-read-only-user --no-duplicate-arns Where arn:aws:iam::XXXXXXXX1520:user/veeranjaneyulu.chinta – Configured User credentials in Snow Instance to disocver Cloud resources.discovery-read-only-user – Created user in ClusterRoleBinding in EKS cluster Member account configurations Member account AWS Credentials are not configured in Snow instance and using Master account credentials for discovery Note: Similar configurations are applicable for Credentials not configured service accounts in SNow Instance. ModuleParameterValueKubernetesClusterRolecluster-read-only-roleClusterRoleBindingdiscovery-read-only-userAWSMember account IDXXXXXXXX8738IAM Credentials RoleMemberDiscoveryRoleeksctl create iamidentitymapping Full ARN - arn:aws:iam::XXXXXXXX8738:role/MemberDiscoveryRole UserName : discovery-read-only-user Snow InstanceMember Service AccountXXXXXXXX8738CredentialsNot configuredMaster accountXXXXXXXX1520Table - Cloud Service Account AWS Org Assume Role Params Access role Name - arn:aws:iam::XXXXXXXX8738:role/MemberDiscoveryRole Cloud Service account – Reference to XXXXXXXX8738 Service account Note: If Role is not specified in this table, Discovery uses by default role - OrganizationAccountAccessRole Example screenshots for Member account Member Service account in Snow Instance 2. Entry in Cloud Service Account AWS Org Assume Role Params( cloud_service_account_aws_org_assume_role_params) table 3. Member account Role in AWS Console Member Account Id – XXXXXXXX8738 Role Full ARN - arn:aws:iam::XXXXXXXX8738:role/MemberDiscoveryRole 4. Map IAM Role and Kubernetes UserName eksctl create iamidentitymapping --cluster <ClusterName> --region=<region-code> --arn arn:aws:iam::XXXXXXXX8738:role/MemberDiscoveryRole --username discovery-read-only-user --no-duplicate-arns Where arn:aws:iam::XXXXXXXX8738:role/MemberDiscoveryRole – Used IAM Role to discover Member account resources.discovery-read-only-user – Created user in ClusterRoleBinding in the EKS cluster Notes : 1. Refer KB0957891 - To set up "AWS Master and Member account cloud discovery using an accessor account". 2. If followed the KB0957891 to configure AWS Master Member account cloud discovery then no need to do it again Snow Instance side configurations mention in this KB (KB1182188). Use the same User / Role ARN to map the EKS cluster (eksctl create iamidentitymapping). 3. Refer KB1080155 - For more details about "Automatic serverless schedule creator for Kubernetes discovery". **** END of TOI ****