Compare languages | Cloud provider — AWS: Preparing environment

To use the cloud-provider and machine-controller-manager modules, you must access the AWS API as an IAM user with a sufficient set of privileges.

Для работы cloud-provider и machine-controller-manager требуется доступ в API AWS из-под IAM-пользователя, который обладает достаточным набором прав.

Make sure that you have access to the desired regions and that you have the necessary quotas.

Убедитесь в наличии доступа к нужному региону и наличии необходимых квот.

JSON Policy

JSON-спецификация Policy

First, prepare a JSON file with the configuration of the necessary privileges:

Сначала подготовьте JSON-файл с конфигурацией необходимых прав:

json { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “autoscaling:DescribeAutoScalingGroups”, “autoscaling:DescribeLaunchConfigurations”, “autoscaling:DescribeTags”, “ec2:AllocateAddress”, “ec2:AssociateAddress”, “ec2:AssociateRouteTable”, “ec2:AttachInternetGateway”, “ec2:AttachVolume”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateInternetGateway”, “ec2:CreateKeyPair”, “ec2:CreateNATGateway”, “ec2:CreateRoute”, “ec2:CreateRouteTable”, “ec2:CreateSecurityGroup”, “ec2:CreateSubnet”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:CreateVpc”, “ec2:DeleteInternetGateway”, “ec2:DeleteKeyPair”, “ec2:DeleteNATGateway”, “ec2:DeleteRoute”, “ec2:DeleteRouteTable”, “ec2:DeleteSecurityGroup”, “ec2:DeleteSubnet”, “ec2:DeleteTags”, “ec2:DeleteVolume”, “ec2:DeleteVpc”, “ec2:DescribeAccountAttributes”, “ec2:DescribeAddresses”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeImages”, “ec2:DescribeInstanceAttribute”, “ec2:DescribeInstanceCreditSpecifications”, “ec2:DescribeInstances”, “ec2:DescribeInstanceTypes”, “ec2:DescribeInstanceTopology”, “ec2:DescribeInternetGateways”, “ec2:DescribeKeyPairs”, “ec2:DescribeNatGateways”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeRegions”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSecurityGroupRules”, “ec2:DescribeSubnets”, “ec2:DescribeTags”, “ec2:DescribeVolumesModifications”, “ec2:DescribeVolumes”, “ec2:DescribeVpcAttribute”, “ec2:DescribeVpcClassicLink”, “ec2:DescribeVpcClassicLinkDnsSupport”, “ec2:DescribeVpcs”, “ec2:DetachInternetGateway”, “ec2:DetachVolume”, “ec2:DisassociateAddress”, “ec2:DisassociateRouteTable”, “ec2:ImportKeyPair”, “ec2:ModifyInstanceAttribute”, “ec2:ModifySubnetAttribute”, “ec2:ModifyVolume”, “ec2:ModifyVpcAttribute”, “ec2:ReleaseAddress”, “ec2:RevokeSecurityGroupEgress”, “ec2:RevokeSecurityGroupIngress”, “ec2:RunInstances”, “ec2:TerminateInstances”, “ec2:DescribeVpcPeeringConnections”, “ec2:CreateVpcPeeringConnection”, “ec2:DeleteVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection”, “ec2:CreateNetworkInterface”, “ec2:DescribeNetworkInterfaceAttribute”, “ec2:ModifyNetworkInterfaceAttribute”, “ec2:DeleteNetworkInterface”, “ec2:DescribeNetworkInterfaces”,
“elasticloadbalancing:AddTags”, “elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, “elasticloadbalancing:AttachLoadBalancerToSubnets”, “elasticloadbalancing:ConfigureHealthCheck”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:CreateLoadBalancerListeners”, “elasticloadbalancing:CreateLoadBalancerPolicy”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeleteListener”, “elasticloadbalancing:DeleteLoadBalancer”, “elasticloadbalancing:DeleteLoadBalancerListeners”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, “elasticloadbalancing:DeregisterTargets”, “elasticloadbalancing:DescribeListeners”, “elasticloadbalancing:DescribeLoadBalancerAttributes”, “elasticloadbalancing:DescribeLoadBalancerPolicies”, “elasticloadbalancing:DescribeLoadBalancers”, “elasticloadbalancing:DescribeTargetGroups”, “elasticloadbalancing:DescribeTargetHealth”, “elasticloadbalancing:DetachLoadBalancerFromSubnets”, “elasticloadbalancing:ModifyListener”, “elasticloadbalancing:ModifyLoadBalancerAttributes”, “elasticloadbalancing:ModifyTargetGroup”, “elasticloadbalancing:RegisterInstancesWithLoadBalancer”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, “elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, “iam:AddRoleToInstanceProfile”, “iam:CreateInstanceProfile”, “iam:CreateRole”, “iam:CreateServiceLinkedRole”, “iam:DeleteInstanceProfile”, “iam:DeleteRole”, “iam:DeleteRolePolicy”, “iam:GetInstanceProfile”, “iam:GetRole”, “iam:GetRolePolicy”, “iam:ListInstanceProfilesForRole”, “iam:ListRolePolicies”, “iam:ListAttachedRolePolicies”, “iam:PassRole”, “iam:PutRolePolicy”, “iam:RemoveRoleFromInstanceProfile”, “iam:TagRole”, “kms:DescribeKey”, “sts:GetCallerIdentity” ], “Resource”: “*” } ] }

json { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “autoscaling:DescribeAutoScalingGroups”, “autoscaling:DescribeLaunchConfigurations”, “autoscaling:DescribeTags”, “ec2:AllocateAddress”, “ec2:AssociateAddress”, “ec2:AssociateRouteTable”, “ec2:AttachInternetGateway”, “ec2:AttachVolume”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateInternetGateway”, “ec2:CreateKeyPair”, “ec2:CreateNATGateway”, “ec2:CreateRoute”, “ec2:CreateRouteTable”, “ec2:CreateSecurityGroup”, “ec2:CreateSubnet”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:CreateVpc”, “ec2:DeleteInternetGateway”, “ec2:DeleteKeyPair”, “ec2:DeleteNATGateway”, “ec2:DeleteRoute”, “ec2:DeleteRouteTable”, “ec2:DeleteSecurityGroup”, “ec2:DeleteSubnet”, “ec2:DeleteTags”, “ec2:DeleteVolume”, “ec2:DeleteVpc”, “ec2:DescribeAccountAttributes”, “ec2:DescribeAddresses”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeImages”, “ec2:DescribeInstanceAttribute”, “ec2:DescribeInstanceCreditSpecifications”, “ec2:DescribeInstances”, “ec2:DescribeInstanceTypes”, “ec2:DescribeInstanceTopology”, “ec2:DescribeInternetGateways”, “ec2:DescribeKeyPairs”, “ec2:DescribeNatGateways”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeRegions”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSecurityGroupRules”, “ec2:DescribeSubnets”, “ec2:DescribeTags”, “ec2:DescribeVolumesModifications”, “ec2:DescribeVolumes”, “ec2:DescribeVpcAttribute”, “ec2:DescribeVpcClassicLink”, “ec2:DescribeVpcClassicLinkDnsSupport”, “ec2:DescribeVpcs”, “ec2:DetachInternetGateway”, “ec2:DetachVolume”, “ec2:DisassociateAddress”, “ec2:DisassociateRouteTable”, “ec2:ImportKeyPair”, “ec2:ModifyInstanceAttribute”, “ec2:ModifySubnetAttribute”, “ec2:ModifyVolume”, “ec2:ModifyVpcAttribute”, “ec2:ReleaseAddress”, “ec2:RevokeSecurityGroupEgress”, “ec2:RevokeSecurityGroupIngress”, “ec2:RunInstances”, “ec2:TerminateInstances”, “ec2:DescribeVpcPeeringConnections”, “ec2:CreateVpcPeeringConnection”, “ec2:DeleteVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection”, “ec2:CreateNetworkInterface”, “ec2:DescribeNetworkInterfaceAttribute”, “ec2:ModifyNetworkInterfaceAttribute”, “ec2:DeleteNetworkInterface”, “ec2:DescribeNetworkInterfaces”,
“elasticloadbalancing:AddTags”, “elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, “elasticloadbalancing:AttachLoadBalancerToSubnets”, “elasticloadbalancing:ConfigureHealthCheck”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:CreateLoadBalancerListeners”, “elasticloadbalancing:CreateLoadBalancerPolicy”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeleteListener”, “elasticloadbalancing:DeleteLoadBalancer”, “elasticloadbalancing:DeleteLoadBalancerListeners”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, “elasticloadbalancing:DeregisterTargets”, “elasticloadbalancing:DescribeListeners”, “elasticloadbalancing:DescribeLoadBalancerAttributes”, “elasticloadbalancing:DescribeLoadBalancerPolicies”, “elasticloadbalancing:DescribeLoadBalancers”, “elasticloadbalancing:DescribeTargetGroups”, “elasticloadbalancing:DescribeTargetHealth”, “elasticloadbalancing:DetachLoadBalancerFromSubnets”, “elasticloadbalancing:ModifyListener”, “elasticloadbalancing:ModifyLoadBalancerAttributes”, “elasticloadbalancing:ModifyTargetGroup”, “elasticloadbalancing:RegisterInstancesWithLoadBalancer”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, “elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, “iam:AddRoleToInstanceProfile”, “iam:CreateInstanceProfile”, “iam:CreateRole”, “iam:CreateServiceLinkedRole”, “iam:DeleteInstanceProfile”, “iam:DeleteRole”, “iam:DeleteRolePolicy”, “iam:GetInstanceProfile”, “iam:GetRole”, “iam:GetRolePolicy”, “iam:ListInstanceProfilesForRole”, “iam:ListRolePolicies”, “iam:ListAttachedRolePolicies”, “iam:PassRole”, “iam:PutRolePolicy”, “iam:RemoveRoleFromInstanceProfile”, “iam:TagRole”, “kms:DescribeKey”, “sts:GetCallerIdentity” ], “Resource”: “*” } ] }

Below, you can find instructions on how to apply this policy.

Инструкции, как применить этот JSON-файл, ниже.

Configuring IAM via the web interface

Настройка IAM через веб-интерфейс

In order to configure IAM via the web interface, first create a new Policy and apply the previously created JSON file to it:

Чтобы настроить IAM через веб-интерфейс, сначала создайте новую политику (Policy) и примените к ней созданный ранее JSON-файл:

  1. Open Identity and Access Management (IAM).
  2. Open the Policies page and click Create Policy.
  3. Select the JSON tab and insert the policy.
  4. Click Next: Tags, then Next: Review.
  5. Enter a policy name in the Name field (e.g., D8CloudProviderAWS).
  6. Click Create Policy.
  1. Откройте Identity and Access Management (IAM).
  2. Перейдите в раздел Policies и нажмите Create Policy.
  3. Выберите вкладку JSON и вставьте приведенную выше спецификацию.
  4. Нажмите Next: Tags, затем Next: Review.
  5. Задайте название политики в поле Name (например, D8CloudProviderAWS).
  6. Нажмите Create Policy.

Then add a new user:

Затем добавьте нового пользователя:

  1. Open the Users page of IAM and click Add users.
  2. Enter a name in the User name field (e.g., deckhouse).
  1. Перейдите в раздел Users IAM и нажмите Add users.
  2. Задайте имя в поле User name (например, deckhouse).

And apply the created Policy to it:

Примените к нему созданную Policy:

  1. Select Access key - Programmatic access in the Select AWS credential type area.
  2. Click Next: Permissions.
  3. Select the Attach existing policies directly tab.
  4. Search (use the Filter policies field) for the policy name entered above (e.g., D8CloudProviderAWS) and click the checkbox next to it.
  5. Click Next: Tags, then Next: Review.
  6. Click Create user.
  1. В разделе Select AWS credential type выберите Access key - Programmatic access.
  2. Нажмите Next: Permissions.
  3. Выберите вкладку Attach existing policies directly.
  4. Введите в поле поиска (Filter policies) имя политики, указанное на предыдущих шагах (например, D8CloudProviderAWS), и в полученном списке отметьте checkbox напротив искомой политики.
  5. Нажмите Next: Tags, затем Next: Review.
  6. Нажмите Create user.

Save credentials (Access key ID and Secret access key).

Сохраните полученные Access key ID и Secret access key.

Make sure that you have access to the desired regions. Select the desired region from the dropdown list in the upper right corner.

If there is a switch to the selected region, then there is access to the region.

If there is no access to the region, then you will receive the following message (may differ):

Enable region

In this case, click Continue to enable the region.

Проверьте, есть ли у вашей учетной записи (и, соответственно, у созданного пользователя) доступ к нужным регионам. Для этого выберите необходимый регион в выпадающем списке в правом верхнем углу.

Если произойдет переключение в выбранный регион, доступ к региону есть.

Если доступа к региону нет, вы получите следующее сообщение (может отличаться):

Разрешить использование региона

В этом случае нажмите Continue, чтобы разрешить использование региона.

Configuring IAM via the CLI

Настройка IAM через CLI

Create the JSON specification using the following command.

Также IAM можно настроить через интерфейс командной строки.

bash cat > policy.json « EOF

EOF

Для этого с помощью следующей команды сохраните JSON-спецификацию в файл policy.json:

Create a new Policy based on the specification created above with D8CloudProviderAWS as a policy name and the ARN identifier:

shell cat > policy.json « EOF

EOF

shell aws iam create-policy –policy-name D8CloudProviderAWS –policy-document file://policy.json

Затем создайте новую Policy с именем D8CloudProviderAWS и примечанием ARN, используя JSON-спецификацию из файла policy.json:

You will see the following:

shell aws iam create-policy –policy-name D8CloudProviderAWS –policy-document file://policy.json

yaml { “Policy”: { “PolicyName”: “D8CloudProviderAWS”, “PolicyId”: “AAA”, “Arn”: “arn:aws:iam::123:policy/D8CloudProviderAWS”, “Path”: “/”, “DefaultVersionId”: “v1”, “AttachmentCount”: 0, “PermissionsBoundaryUsageCount”: 0, “IsAttachable”: true, “CreateDate”: “2020-08-27T02:52:06+00:00”, “UpdateDate”: “2020-08-27T02:52:06+00:00” } }

В ответ отобразится следующий текст:

Create a new user:

yaml { “Policy”: { “PolicyName”: “D8CloudProviderAWS”, “PolicyId”: “AAA”, “Arn”: “arn:aws:iam::123:policy/D8CloudProviderAWS”, “Path”: “/”, “DefaultVersionId”: “v1”, “AttachmentCount”: 0, “PermissionsBoundaryUsageCount”: 0, “IsAttachable”: true, “CreateDate”: “2020-08-27T02:52:06+00:00”, “UpdateDate”: “2020-08-27T02:52:06+00:00” } }

shell aws iam create-user –user-name deckhouse

Создайте нового пользователя:

You will see the following:

shell aws iam create-user –user-name deckhouse

yaml { “User”: { “Path”: “/”, “UserName”: “deckhouse”, “UserId”: “AAAXXX”, “Arn”: “arn:aws:iam::123:user/deckhouse”, “CreateDate”: “2020-08-27T03:05:42+00:00” } }

В ответ отобразится следующий текст:

You need to allow access to the API and remember your AccessKeyId + SecretAccessKey values:

yaml { “User”: { “Path”: “/”, “UserName”: “deckhouse”, “UserId”: “AAAXXX”, “Arn”: “arn:aws:iam::123:user/deckhouse”, “CreateDate”: “2020-08-27T03:05:42+00:00” } }

shell aws iam create-access-key –user-name deckhouse

Разрешите доступ к API и сохраните пару AccessKeyId + SecretAccessKey:

You will see the following:

shell aws iam create-access-key –user-name deckhouse

yaml { “AccessKey”: { “UserName”: “deckhouse”, “AccessKeyId”: “XXXYYY”, “Status”: “Active”, “SecretAccessKey”: “ZZZzzz”, “CreateDate”: “2020-08-27T03:06:22+00:00” } }

В ответ отобразится следующий текст:

Attach the specified Policy to the specified User:

yaml { “AccessKey”: { “UserName”: “deckhouse”, “AccessKeyId”: “XXXYYY”, “Status”: “Active”, “SecretAccessKey”: “ZZZzzz”, “CreateDate”: “2020-08-27T03:06:22+00:00” } }

shell aws iam attach-user-policy –user-name username –policy-arn arn:aws:iam::123:policy/D8CloudProviderAWS

Объедините User и Policy:

Configuring IAM via Terraform

shell aws iam attach-user-policy –user-name username –policy-arn arn:aws:iam::123:policy/D8CloudProviderAWS

An example of configuring IAM via Terraform:

Настройка IAM через Terraform

hcl resource “aws_iam_user” “user” { name = “deckhouse” }

Пример настройки IAM через Terraform:

resource “aws_iam_access_key” “user” { user = aws_iam_user.user.name }

hcl resource “aws_iam_user” “user” { name = “deckhouse” }

resource “aws_iam_policy” “policy” { name = “D8CloudProviderAWS” path = “/” description = “Deckhouse policy”

resource “aws_iam_access_key” “user” { user = aws_iam_user.user.name }

policy = «EOF

EOF }

resource “aws_iam_policy” “policy” { name = “D8CloudProviderAWS” path = “/” description = “Deckhouse policy”

resource “aws_iam_user_policy_attachment” “policy-attachment” { user = aws_iam_user.user.name policy_arn = aws_iam_policy.policy.arn }

policy = «EOF

EOF }
 

resource “aws_iam_user_policy_attachment” “policy-attachment” { user = aws_iam_user.user.name policy_arn = aws_iam_policy.policy.arn }