IAM
Depending on how you want to use Mission Control you need to create an IAM role for mission control to use:
| Use Case | Role |
|---|---|
| Read Only Scraping | arn:aws:iam::aws:policy/ReadOnlyAccess |
| Playbooks to create and update AWS Resources | arn:aws:iam::aws:policy/PowerUserAccess |
Create new IAM Policy (Alternative)
You can also create a new policy with just the permissions required by Mission Control
iam-policy.json{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mission-control-config-role",
"Effect": "Allow",
"Action": [
"acm:Describe*",
"acm:Get*",
"acm:List*",
"cloudtrail:LookupEvents",
"config:BatchGetAggregateResourceConfig",
"config:BatchGetResourceConfig",
"config:Describe*",
"config:Get*",
"config:List*",
"config:SelectAggregateResourceConfig",
"config:SelectResourceConfig",
"ec2:Describe*",
"ecr:Describe*",
"eks:Describe*",
"eks:ListClusters",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"guardduty:Describe*",
"guardduty:Get*",
"guardduty:List*",
"iam:GetAccountName",
"iam:GetAccountSummary",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:List*",
"lambda:List*",
"rds:Describe*",
"sts:GetCallerIdentity"
"trustedadvisor:Describe*",
"trustedadvisor:DownloadRisk",
"trustedadvisor:Get*",
"trustedadvisor:List*",
],
"Resource": "*"
}
]
}
Configure IAM Roles for Mission Control
- IAM Roles for Service Accounts
- Pod Identity
- Access Key
- eksctl
-
Setup variables
# The name of the EKS cluster mission control is being deployed toexport CLUSTER= <CLUSTER_NAME># the default namespace the mission-control helm chart usesexport NAMESPACE=mission-controlexport ACCOUNT=$(aws sts get-caller-identity --query 'Account' --output text) -
Enable EKS IAM Roles for Service Accounts
eksctl utils associate-iam-oidc-provider --cluster=$CLUSTER -
Create the IAM Role mappings
eksctl.yamliam:withOIDC: trueserviceAccounts:- metadata:name: mission-control-sanamespace: mission-controlroleName: MissionControlRoleroleOnly: trueattachPolicyARNs:- "arn:aws:iam::aws:policy/ReadOnlyAccess"- metadata:name: canary-checker-sanamespace: mission-controlroleName: CanaryCheckerRoleroleOnly: trueattachPolicyARNs:- "arn:aws:iam::aws:policy/ReadOnlyAccess"- metadata:name: config-db-sanamespace: mission-controlroleName: ConfigDBRoleroleOnly: trueattachPolicyARNs:- "arn:aws:iam::aws:policy/ReadOnlyAccess"eksctl create iamserviceaccount --cluster $CLUSTER -c eksctl.yaml
- eksctl
- Terraform
- Cloudformation
-
Ensure the AWS Pod Identity Agent is configured and running
-
Create a mapping file for
eksctleksctl.yamlpodIdentityAssociations:- namespace: mission-controlserviceAccountName: mission-control-sapermissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess- namespace: mission-controlserviceAccountName: config-db-sapermissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess- namespace: mission-controlserviceAccountName: canary-checker-sapermissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccessiam:# note withOIDC is not required for Pod IdentityserviceAccounts:# used by mission control for notifications / playbooks- metadata:name: mission-control-sanamespace: mission-controlattachPolicyARNs:- "arn:aws:iam::aws:policy/ReadOnlyAccess"# used for cloudwatch, S3 and other AWS health checks- metadata:name: canary-checker-sanamespace: mission-controlattachPolicyARNs:- "arn:aws:iam::aws:policy/ReadOnlyAccess"# used to scrape resources, AWS CloudTrail and AWS Cost & Usage Reports- metadata:name: config-db-sanamespace: mission-controlattachPolicyARNs:- "arn:aws:iam::aws:policy/ReadOnlyAccess"Using an existing IAM Role
If you are using a pre-existing IAM role when creating a pod identity association, you must configure the role to trust the newly introduced EKS service principal (
pods.eks.amazonaws.com)iam-trust-policy.json{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "pods.eks.amazonaws.com"},"Action": ["sts:AssumeRole", "sts:TagSession"]}]} -
Apply the Pod Identities using
eksctleksctl create podidentityassociation -c eksctl.yaml
-
Ensure the AWS Pod Identity Agent is configured and running
-
Create
main.tfmain.tfvariable "cluster" {type = string}variable "role" {type = string}variable "namespace" {type = stringdefault = "mission-control"}variable "policy" {type = stringdefault = "arn:aws:iam::aws:policy/ReadOnlyAccess"}locals {service_accounts = ["mission-control-sa","canary-checker-sa","config-db-sa"]}data "aws_caller_identity" "current" {}resource "aws_iam_role" "mission-control" {name = "MissionControlRole"assume_role_policy = jsonencode({Statement = [{Action = ["sts:AssumeRole","sts:TagSession"]Effect = "Allow"Principal = {Service: "pods.eks.amazonaws.com"}}]Version = "2012-10-17"})}resource "aws_iam_role_policy_attachment" "mission-control" {policy_arn = var.policyrole = aws_iam_role.mission-control.name}resource "aws_eks_pod_identity_association" "pod_identities" {for_each = local.service_accountscluster_name = var.clusternamespace = var.namespaceservice_account = each.valuerole_arn = var.role} -
Apply the terraform
TF_VAR_role=$CLUSTER terraform apply
-
Setup variables
# The name of the EKS cluster mission control is being deployed toexport CLUSTER= <CLUSTER_NAME># the default namespace the mission-control helm chart usesexport NAMESPACE=mission-control -
Create a cloudformation template
mission-control-iam-cloudformation.yamlAWSTemplateFormatVersion: "2010-09-09"Description: CloudFormation template for Mission Control IAM Role using EKS Pod IdentitiesParameters:Cluster:Type: StringDescription: Name of the EKS clusterNamespace:Type: StringDefault: "mission-control"Description: Kubernetes namespacePolicyArn:Type: StringDefault: "arn:aws:iam::aws:policy/ReadOnlyAccess"Description: ARN of the IAM policy to attach to the roleResources:MissionControlRole:Type: "AWS::IAM::Role"Properties:RoleName: "MissionControlRole"AssumeRolePolicyDocument:Version: "2012-10-17"Statement:- Effect: "Allow"Principal:Service: "eks.amazonaws.com"Action:- "sts:AssumeRole"- "sts:TagSession"MissionControlRolePolicyAttachment:Type: "AWS::IAM::Policy"Properties:PolicyName: "MissionControlPolicy"Roles:- Ref: "MissionControlRole"PolicyDocument:Version: "2012-10-17"Statement:- Effect: "Allow"Action: "*"Resource: "*"MissionControlServiceAccount:Type: "AWS::EKS::PodIdentityAssociation"Properties:ClusterName: !Ref "Cluster"Namespace: !Ref "Namespace"RoleArn: !GetAtt MissionControlRole.ArnServiceAccount: mission-control-saCanaryCheckerServiceAccount:Type: "AWS::EKS::PodIdentityAssociation"Properties:ClusterName: !Ref "Cluster"Namespace: !Ref "Namespace"RoleArn: !GetAtt MissionControlRole.ArnServiceAccount: canary-checker-saConfigDBServiceAccount:Type: "AWS::EKS::PodIdentityAssociation"Properties:ClusterName: !Ref "Cluster"Namespace: !Ref "Namespace"RoleArn: !GetAtt MissionControlRole.ArnServiceAccount: config-db-sa -
Create a new stack
aws cloudformation deploy \--stack-name mission-control-roles \--template-file file://mission-control-iam-cloudformation.yaml \--parameter-overrides Cluster==$CLUSTER Namespace=$NAMESPACE
Using Access Keys and Secrets is not recommended from a security perspective
First we create a secret called aws containing the access key and secret.
-
Create a new IAM User and Access Key
USER_NAME="mission-control-sa"aws iam create-user --user-name $USER_NAMEaws iam attach-user-policy \--user-name $USER_NAME \--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccesskey=$(aws iam create-access-key --user-name $USER_NAME) -
Create a new secret
awscontaining the access and secret keykubectl create secret generic aws \--from-literal=AWS_ACCESS_KEY_ID=$(echo $key | jq -r '.AccessKey.AccessKeyId') \--from-literal=AWS_SECRET_ACCESS_KEY=$(echo $key | jq -r '.AccessKey.SecretAccessKey') -
Create a new connection
aws-connection.yamlapiVersion: mission-control.flanksource.com/v1kind: Connectionmetadata:name: awsnamespace: mission-controlspec:region: eu-west-1accessKey:valueFrom:secretKeyRef:name: awskey: AWS_ACCESS_KEY_IDsecretKey:valueFrom:secretKeyRef:name: awskey: AWS_ACCESS_KEY_ID -
When creating Scrapers / Registry bundles you can now refer to
connection://mission-control/aws