Compare languages | Cloud provider — AWS: подготовка окружения

Для работы cloud-provider и machine-controller-manager требуется доступ в API AWS из-под IAM-пользователя, который обладает достаточным набором прав.

To use the cloud-provider and machine-controller-manager modules, you must access the AWS API as an IAM user with a sufficient set of privileges.

Убедитесь в наличии доступа к нужному региону и наличии необходимых квот.

Make sure that you have access to the desired regions and that you have the necessary quotas.

JSON-спецификация Policy

JSON Policy

Сначала подготовьте JSON-файл с конфигурацией необходимых прав:

First, prepare a JSON file with the configuration of the necessary privileges:

json { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “autoscaling:DescribeAutoScalingGroups”, “autoscaling:DescribeLaunchConfigurations”, “autoscaling:DescribeTags”, “ec2:AllocateAddress”, “ec2:AssociateAddress”, “ec2:AssociateRouteTable”, “ec2:AttachInternetGateway”, “ec2:AttachVolume”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateInternetGateway”, “ec2:CreateKeyPair”, “ec2:CreateNATGateway”, “ec2:CreateRoute”, “ec2:CreateRouteTable”, “ec2:CreateSecurityGroup”, “ec2:CreateSubnet”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:CreateVpc”, “ec2:DeleteInternetGateway”, “ec2:DeleteKeyPair”, “ec2:DeleteNATGateway”, “ec2:DeleteRoute”, “ec2:DeleteRouteTable”, “ec2:DeleteSecurityGroup”, “ec2:DeleteSubnet”, “ec2:DeleteTags”, “ec2:DeleteVolume”, “ec2:DeleteVpc”, “ec2:DescribeAccountAttributes”, “ec2:DescribeAddresses”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeImages”, “ec2:DescribeInstanceAttribute”, “ec2:DescribeInstanceCreditSpecifications”, “ec2:DescribeInstances”, “ec2:DescribeInstanceTypes”, “ec2:DescribeInternetGateways”, “ec2:DescribeKeyPairs”, “ec2:DescribeNatGateways”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeRegions”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSecurityGroupRules”, “ec2:DescribeSubnets”, “ec2:DescribeTags”, “ec2:DescribeVolumesModifications”, “ec2:DescribeVolumes”, “ec2:DescribeVpcAttribute”, “ec2:DescribeVpcClassicLink”, “ec2:DescribeVpcClassicLinkDnsSupport”, “ec2:DescribeVpcs”, “ec2:DetachInternetGateway”, “ec2:DetachVolume”, “ec2:DisassociateAddress”, “ec2:DisassociateRouteTable”, “ec2:ImportKeyPair”, “ec2:ModifyInstanceAttribute”, “ec2:ModifySubnetAttribute”, “ec2:ModifyVolume”, “ec2:ModifyVpcAttribute”, “ec2:ReleaseAddress”, “ec2:RevokeSecurityGroupEgress”, “ec2:RevokeSecurityGroupIngress”, “ec2:RunInstances”, “ec2:TerminateInstances”, “ec2:DescribeVpcPeeringConnections”, “ec2:CreateVpcPeeringConnection”, “ec2:DeleteVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection”, “elasticloadbalancing:AddTags”, “elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, “elasticloadbalancing:AttachLoadBalancerToSubnets”, “elasticloadbalancing:ConfigureHealthCheck”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:CreateLoadBalancerListeners”, “elasticloadbalancing:CreateLoadBalancerPolicy”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeleteListener”, “elasticloadbalancing:DeleteLoadBalancer”, “elasticloadbalancing:DeleteLoadBalancerListeners”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, “elasticloadbalancing:DeregisterTargets”, “elasticloadbalancing:DescribeListeners”, “elasticloadbalancing:DescribeLoadBalancerAttributes”, “elasticloadbalancing:DescribeLoadBalancerPolicies”, “elasticloadbalancing:DescribeLoadBalancers”, “elasticloadbalancing:DescribeTargetGroups”, “elasticloadbalancing:DescribeTargetHealth”, “elasticloadbalancing:DetachLoadBalancerFromSubnets”, “elasticloadbalancing:ModifyListener”, “elasticloadbalancing:ModifyLoadBalancerAttributes”, “elasticloadbalancing:ModifyTargetGroup”, “elasticloadbalancing:RegisterInstancesWithLoadBalancer”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, “elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, “iam:AddRoleToInstanceProfile”, “iam:CreateInstanceProfile”, “iam:CreateRole”, “iam:CreateServiceLinkedRole”, “iam:DeleteInstanceProfile”, “iam:DeleteRole”, “iam:DeleteRolePolicy”, “iam:GetInstanceProfile”, “iam:GetRole”, “iam:GetRolePolicy”, “iam:ListInstanceProfilesForRole”, “iam:ListRolePolicies”, “iam:ListAttachedRolePolicies”, “iam:PassRole”, “iam:PutRolePolicy”, “iam:RemoveRoleFromInstanceProfile”, “iam:TagRole”, “kms:DescribeKey”, “sts:GetCallerIdentity” ], “Resource”: “*” } ] }

json { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “autoscaling:DescribeAutoScalingGroups”, “autoscaling:DescribeLaunchConfigurations”, “autoscaling:DescribeTags”, “ec2:AllocateAddress”, “ec2:AssociateAddress”, “ec2:AssociateRouteTable”, “ec2:AttachInternetGateway”, “ec2:AttachVolume”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateInternetGateway”, “ec2:CreateKeyPair”, “ec2:CreateNATGateway”, “ec2:CreateRoute”, “ec2:CreateRouteTable”, “ec2:CreateSecurityGroup”, “ec2:CreateSubnet”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:CreateVpc”, “ec2:DeleteInternetGateway”, “ec2:DeleteKeyPair”, “ec2:DeleteNATGateway”, “ec2:DeleteRoute”, “ec2:DeleteRouteTable”, “ec2:DeleteSecurityGroup”, “ec2:DeleteSubnet”, “ec2:DeleteTags”, “ec2:DeleteVolume”, “ec2:DeleteVpc”, “ec2:DescribeAccountAttributes”, “ec2:DescribeAddresses”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeImages”, “ec2:DescribeInstanceAttribute”, “ec2:DescribeInstanceCreditSpecifications”, “ec2:DescribeInstances”, “ec2:DescribeInstanceTypes”, “ec2:DescribeInternetGateways”, “ec2:DescribeKeyPairs”, “ec2:DescribeNatGateways”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeRegions”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSecurityGroupRules”, “ec2:DescribeSubnets”, “ec2:DescribeTags”, “ec2:DescribeVolumesModifications”, “ec2:DescribeVolumes”, “ec2:DescribeVpcAttribute”, “ec2:DescribeVpcClassicLink”, “ec2:DescribeVpcClassicLinkDnsSupport”, “ec2:DescribeVpcs”, “ec2:DetachInternetGateway”, “ec2:DetachVolume”, “ec2:DisassociateAddress”, “ec2:DisassociateRouteTable”, “ec2:ImportKeyPair”, “ec2:ModifyInstanceAttribute”, “ec2:ModifySubnetAttribute”, “ec2:ModifyVolume”, “ec2:ModifyVpcAttribute”, “ec2:ReleaseAddress”, “ec2:RevokeSecurityGroupEgress”, “ec2:RevokeSecurityGroupIngress”, “ec2:RunInstances”, “ec2:TerminateInstances”, “ec2:DescribeVpcPeeringConnections”, “ec2:CreateVpcPeeringConnection”, “ec2:DeleteVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection”, “elasticloadbalancing:AddTags”, “elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, “elasticloadbalancing:AttachLoadBalancerToSubnets”, “elasticloadbalancing:ConfigureHealthCheck”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:CreateLoadBalancerListeners”, “elasticloadbalancing:CreateLoadBalancerPolicy”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeleteListener”, “elasticloadbalancing:DeleteLoadBalancer”, “elasticloadbalancing:DeleteLoadBalancerListeners”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, “elasticloadbalancing:DeregisterTargets”, “elasticloadbalancing:DescribeListeners”, “elasticloadbalancing:DescribeLoadBalancerAttributes”, “elasticloadbalancing:DescribeLoadBalancerPolicies”, “elasticloadbalancing:DescribeLoadBalancers”, “elasticloadbalancing:DescribeTargetGroups”, “elasticloadbalancing:DescribeTargetHealth”, “elasticloadbalancing:DetachLoadBalancerFromSubnets”, “elasticloadbalancing:ModifyListener”, “elasticloadbalancing:ModifyLoadBalancerAttributes”, “elasticloadbalancing:ModifyTargetGroup”, “elasticloadbalancing:RegisterInstancesWithLoadBalancer”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, “elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, “iam:AddRoleToInstanceProfile”, “iam:CreateInstanceProfile”, “iam:CreateRole”, “iam:CreateServiceLinkedRole”, “iam:DeleteInstanceProfile”, “iam:DeleteRole”, “iam:DeleteRolePolicy”, “iam:GetInstanceProfile”, “iam:GetRole”, “iam:GetRolePolicy”, “iam:ListInstanceProfilesForRole”, “iam:ListRolePolicies”, “iam:ListAttachedRolePolicies”, “iam:PassRole”, “iam:PutRolePolicy”, “iam:RemoveRoleFromInstanceProfile”, “iam:TagRole”, “kms:DescribeKey”, “sts:GetCallerIdentity” ], “Resource”: “*” } ] }

Инструкции, как применить этот JSON-файл, ниже.

Below, you can find instructions on how to apply this policy.

Настройка IAM через веб-интерфейс

Configuring IAM via the web interface

Чтобы настроить IAM через веб-интерфейс, сначала создайте новую политику (Policy) и примените к ней созданный ранее JSON-файл:

In order to configure IAM via the web interface, first create a new Policy and apply the previously created JSON file to it:

  1. Откройте Identity and Access Management (IAM).
  2. Перейдите в раздел Policies и нажмите Create Policy.
  3. Выберите вкладку JSON и вставьте приведенную выше спецификацию.
  4. Нажмите Next: Tags, затем Next: Review.
  5. Задайте название политики в поле Name (например, D8CloudProviderAWS).
  6. Нажмите Create Policy.
  1. Open Identity and Access Management (IAM).
  2. Open the Policies page and click Create Policy.
  3. Select the JSON tab and insert the policy.
  4. Click Next: Tags, then Next: Review.
  5. Enter a policy name in the Name field (e.g., D8CloudProviderAWS).
  6. Click Create Policy.

Затем добавьте нового пользователя:

Then add a new user:

  1. Перейдите в раздел Users IAM и нажмите Add users.
  2. Задайте имя в поле User name (например, deckhouse).
  1. Open the Users page of IAM and click Add users.
  2. Enter a name in the User name field (e.g., deckhouse).

Примените к нему созданную Policy:

And apply the created Policy to it:

  1. В разделе Select AWS credential type выберите Access key - Programmatic access.
  2. Нажмите Next: Permissions.
  3. Выберите вкладку Attach existing policies directly.
  4. Введите в поле поиска (Filter policies) имя политики, указанное на предыдущих шагах (например, D8CloudProviderAWS), и в полученном списке отметьте checkbox напротив искомой политики.
  5. Нажмите Next: Tags, затем Next: Review.
  6. Нажмите Create user.
  1. Select Access key - Programmatic access in the Select AWS credential type area.
  2. Click Next: Permissions.
  3. Select the Attach existing policies directly tab.
  4. Search (use the Filter policies field) for the policy name entered above (e.g., D8CloudProviderAWS) and click the checkbox next to it.
  5. Click Next: Tags, then Next: Review.
  6. Click Create user.

Сохраните полученные Access key ID и Secret access key.

Save credentials (Access key ID and Secret access key).

Проверьте, есть ли у вашей учетной записи (и, соответственно, у созданного пользователя) доступ к нужным регионам. Для этого выберите необходимый регион в выпадающем списке в правом верхнем углу.

Если произойдет переключение в выбранный регион, доступ к региону есть.

Если доступа к региону нет, вы получите следующее сообщение (может отличаться):

Разрешить использование региона

В этом случае нажмите Continue, чтобы разрешить использование региона.

Make sure that you have access to the desired regions. Select the desired region from the dropdown list in the upper right corner.

If there is a switch to the selected region, then there is access to the region.

If there is no access to the region, then you will receive the following message (may differ):

Enable region

In this case, click Continue to enable the region.

Настройка IAM через CLI

Configuring IAM via the CLI

Также IAM можно настроить через интерфейс командной строки.

Create the JSON specification using the following command.

Для этого с помощью следующей команды сохраните JSON-спецификацию в файл policy.json:

bash cat > policy.json « EOF

EOF

shell cat > policy.json « EOF

EOF

Create a new Policy based on the specification created above with D8CloudProviderAWS as a policy name and the ARN identifier:

Затем создайте новую Policy с именем D8CloudProviderAWS и примечанием ARN, используя JSON-спецификацию из файла policy.json:

shell aws iam create-policy –policy-name D8CloudProviderAWS –policy-document file://policy.json

shell aws iam create-policy –policy-name D8CloudProviderAWS –policy-document file://policy.json

You will see the following:

В ответ отобразится следующий текст:

yaml { “Policy”: { “PolicyName”: “D8CloudProviderAWS”, “PolicyId”: “AAA”, “Arn”: “arn:aws:iam::123:policy/D8CloudProviderAWS”, “Path”: “/”, “DefaultVersionId”: “v1”, “AttachmentCount”: 0, “PermissionsBoundaryUsageCount”: 0, “IsAttachable”: true, “CreateDate”: “2020-08-27T02:52:06+00:00”, “UpdateDate”: “2020-08-27T02:52:06+00:00” } }

yaml { “Policy”: { “PolicyName”: “D8CloudProviderAWS”, “PolicyId”: “AAA”, “Arn”: “arn:aws:iam::123:policy/D8CloudProviderAWS”, “Path”: “/”, “DefaultVersionId”: “v1”, “AttachmentCount”: 0, “PermissionsBoundaryUsageCount”: 0, “IsAttachable”: true, “CreateDate”: “2020-08-27T02:52:06+00:00”, “UpdateDate”: “2020-08-27T02:52:06+00:00” } }

Create a new user:

Создайте нового пользователя:

shell aws iam create-user –user-name deckhouse

shell aws iam create-user –user-name deckhouse

You will see the following:

В ответ отобразится следующий текст:

yaml { “User”: { “Path”: “/”, “UserName”: “deckhouse”, “UserId”: “AAAXXX”, “Arn”: “arn:aws:iam::123:user/deckhouse”, “CreateDate”: “2020-08-27T03:05:42+00:00” } }

yaml { “User”: { “Path”: “/”, “UserName”: “deckhouse”, “UserId”: “AAAXXX”, “Arn”: “arn:aws:iam::123:user/deckhouse”, “CreateDate”: “2020-08-27T03:05:42+00:00” } }

You need to allow access to the API and remember your AccessKeyId + SecretAccessKey values:

Разрешите доступ к API и сохраните пару AccessKeyId + SecretAccessKey:

shell aws iam create-access-key –user-name deckhouse

shell aws iam create-access-key –user-name deckhouse

You will see the following:

В ответ отобразится следующий текст:

yaml { “AccessKey”: { “UserName”: “deckhouse”, “AccessKeyId”: “XXXYYY”, “Status”: “Active”, “SecretAccessKey”: “ZZZzzz”, “CreateDate”: “2020-08-27T03:06:22+00:00” } }

yaml { “AccessKey”: { “UserName”: “deckhouse”, “AccessKeyId”: “XXXYYY”, “Status”: “Active”, “SecretAccessKey”: “ZZZzzz”, “CreateDate”: “2020-08-27T03:06:22+00:00” } }

Attach the specified Policy to the specified User:

Объедините User и Policy:

shell aws iam attach-user-policy –user-name username –policy-arn arn:aws:iam::123:policy/D8CloudProviderAWS

shell aws iam attach-user-policy –user-name username –policy-arn arn:aws:iam::123:policy/D8CloudProviderAWS

Configuring IAM via Terraform

Настройка IAM через Terraform

An example of configuring IAM via Terraform:

Пример настройки IAM через Terraform:

hcl resource “aws_iam_user” “user” { name = “deckhouse” }

hcl resource “aws_iam_user” “user” { name = “deckhouse” }

resource “aws_iam_access_key” “user” { user = aws_iam_user.user.name }

resource “aws_iam_access_key” “user” { user = aws_iam_user.user.name }

resource “aws_iam_policy” “policy” { name = “D8CloudProviderAWS” path = “/” description = “Deckhouse policy”

resource “aws_iam_policy” “policy” { name = “D8CloudProviderAWS” path = “/” description = “Deckhouse policy”

policy = «EOF

EOF }

policy = «EOF

EOF }

resource “aws_iam_user_policy_attachment” “policy-attachment” { user = aws_iam_user.user.name policy_arn = aws_iam_policy.policy.arn }

resource “aws_iam_user_policy_attachment” “policy-attachment” { user = aws_iam_user.user.name policy_arn = aws_iam_policy.policy.arn }