AWS Cloud Provider

Nirmata requires read-only access to EC2 service when using ASGs or Spot Fleet Requests and full access to EC2 service when using a Launch Configuration to provision Virtual Machines.

Securely enable AWS and Nirmata access by configuring an IAM role for Nirmata, then providing the Amazon Resource Name (ARN) for the role to Nirmata.

Configure IAM Role for Nirmata in AWS

To securely provide access, configure an IAM role for Nirmata in AWS.

First, launch the Add Cloud Provider Wizard by selecting Cloud Providers from the sidebar menu and clicking on the +Add Cloud Provider button.

Enter a Name and select Amazon Web Services as the Type.

image

Then select the Settings tab and note the Account ID and External ID.

image

Next, login to AWS and select Identity & Access Management.

image

Select Roles from the sidebar menu.

image

Then click the Create New Role button.

image

Select the Role Type Another AWS Account and enter the Nirmata Account ID noted on the Settings tab in Nirmata.

image

Click Next and enter IAMReadOnlyAccess in the Seach bar. Enable access. Then search AmazonEC2ReadOnlyAccess in the Search bar. Enable access. This allows Nirmata to provision EC2 instances.

image

For more granular access control, create a custom policy using the Custom Automation Policy Template. This policy limits Start/Stop/TerminateInstance to the instances created by Nirmata with appropriate tag.

Custom Automation Policy Template:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:RunInstances",
                    "ec2:CreateTags",
                    "ec2:Describe*"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances"
                ],
                "Resource": "arn:aws:ec2:<region>:<account>:instance/*",
                "Condition": {
                    "StringEquals": {
                        "ec2:ResourceTag/com.nirmata.createdBy": "nirmata"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "autoscaling:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:GetRole",
                    "iam:ListAttachedRolePolicies",
                    "iam:ListPolicyVersions",
                    "iam:ListInstanceProfiles",
                    "iam:GetPolicyVersion",
                    "iam:SimulateCustomPolicy",
                    "iam:PassRole"
                ],
                "Resource": "*"
            }
        ]
    }

Note: Be sure to replace the <region> and <account> placeholders, with the allowed region or “*” to allow all regions, and your AWS account ID.

Next, enter a Role Name (e.g. ‘nirmata-aws-role-1’) and Role Description. Then click Create Role.

image

After creating the AWS IAM role, navigate to the Roles page and copy the Role ARN for the newly created Nirmata Access Role.

image

Return to the Nirmata Add Cloud Provider Wizard and past the Role ARN into the Role ARN field. Click Next and Nirmata will validate the settings.

image

Note: When deploying a Kubernetes cluster on AWS Host Groups, an IAM policy for the hosts in the cluster must be created. This IAM policy allows the AWS cloud controller to access AWS resources.

An example of the IAM policies can be found here:

Master Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_master_strict.json

Compute Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_node_strict.json

For networking, Nirmata uses Amazon VPC CNI plugin (https://github.com/aws/amazon-vpc-cni-k8s). This plugin requires the following IAM policy:

    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateNetworkInterface",
            "ec2:AttachNetworkInterface",
            "ec2:DeleteNetworkInterface",
            "ec2:DetachNetworkInterface",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeInstances",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:AssignPrivateIpAddresses"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": "tag:TagResources",
        "Resource": "*"
    }
Creating AWS Cloud Provider Video

Next Steps: Setup a aws-host-group Host Group.