Create the IAM roles and instance profile
Enable the LIFTIE_USE_PRECREATED_IAM_RESOURCES entitlement and then create the IAM roles and instance profile.
Confirm that the LIFTIE_USE_PRECREATED_IAM_RESOURCES entitlement is enabled for the tenant in consideration.
-
Apply the following CloudFormation template to create the following:
- IAM role called cdp-eks-master-role
- IAM role and instance profile pair called cdp-liftie-instance-profile
Figure 1. CloudFormation Template (YAML) AWSTemplateFormatVersion: "2010-09-09" Description: "Creates Liftie IAM resources" Parameters: TelemetryLoggingEnabled: Description: Telemetry logging is enabled Type: String TelemetryLoggingBucket: Description: Telemetry logging bucket where Liftie logs will be stored. Type: String TelemetryLoggingRootDir: Description: Telemetry logging root directory inside telemetry logging bucket used for storing logs. Default: "cluster-logs" Type: String Conditions: TelemetryLoggingEnabled: Fn::Equals: - {Ref: TelemetryLoggingEnabled} - true Resources: AWSServiceRoleForAmazonEKS: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - eks.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSServicePolicy - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy RoleName: cdp-eks-master-role NodeInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly RoleName: cdp-liftie-instance-profile Policies: - PolicyName: 'cluster-autoscaler' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeAutoScalingInstances - autoscaling:DescribeTags - autoscaling:DescribeLaunchConfigurations - autoscaling:SetDesiredCapacity - autoscaling:TerminateInstanceInAutoScalingGroup Resource: - "*" - !If - TelemetryLoggingEnabled - PolicyName: telemetry-s3-list-bucket PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:ListBucket' Resource: - !Sub 'arn:aws:s3:::${TelemetryLoggingBucket}' - !Ref 'AWS::NoValue' - !If - TelemetryLoggingEnabled - PolicyName: telemetry-s3-read-write PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:*Object' - 's3:AbortMultipartUpload' Resource: - !Sub >- arn:aws:s3:::${TelemetryLoggingBucket}/${TelemetryLoggingRootDir}* - !Ref 'AWS::NoValue' - PolicyName: 'calico-cni' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ec2:ModifyInstanceAttribute Resource: - "*" NodeInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" InstanceProfileName: cdp-liftie-instance-profile Roles: - !Ref NodeInstanceRole
-
In the AWS console Cloudformation wizard, provide values for the following
properties:
- Stack Name: Provide an appropriate name. Example: compute-precreated-roles-and-instanceprofile)
- TelemetryLoggingBucket: Name of the log bucket. Example: compute-logging-bucket
- TelemetryLoggingEnabled: Set it to true.
- TelemetryLoggingRootDir: Verify that it is set to the default value cluster-logs.
-
On the last page in the wizard process, click the I
acknowledge... checkbox to allow creation of IAM resources with special
names.
- Click Create stack.
