From 35b0117a4635900156d9cf920831cd77feeae35a Mon Sep 17 00:00:00 2001 From: mrMoZ1 Date: Thu, 20 Jul 2023 17:16:19 +0300 Subject: [PATCH 1/3] control-service: refactor service user doc Signed-off-by: mrMoZ1 --- .../src/main/resources/application.properties | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties b/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties index f21d3892b0..aa56f7199f 100644 --- a/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties +++ b/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties @@ -286,18 +286,27 @@ datajobs.aws.secretAccessKey=${AWS_ACCESS_KEY_SECRET} # Variables for using the Service Account pattern. Must be set if the data job builder is to use # an AWS ECR repository accessed by an IAM user instead of long term credentials. -# The AWS Service Account pattern is a design pattern used to manage access to AWS resources. # The pattern involves creating an AWS Identity and Access Management (IAM) -# user account with a unique access key and secret key. The access key and secret key are then -# stored in a secure location, such as an encrypted file, on the EC2 instance. +# user account with a unique access key and secret key. # The application running on the EC2 instance can then use the access key and secret key # to authenticate with AWS services and make API calls on behalf of the IAM user account. -# By using a separate IAM user account for each application, the principle of least privilege is -# enforced and the attack surface is reduced. +# By using a separate IAM user, the principle of least privilege is enforced. # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html -# These need to be stored in different variables than the AWS credentials - datajobs.aws.accessKeyId -# and secretAccessKey used by the control service, because if the K8S cluster is hosted on a EKS -# instance, some API calls to the instance made by the control-service could fail. +# The service user variables are different than the AWS credentials - datajobs.aws.accessKeyId +# and secretAccessKey used by the control service. +# +# Necessary steps to setup Service Account: +# - Create a Service Account in Amazon (regular account that will be granted permissions to ECR repo) +# e.g - IAM user: svc.example-service-user +# - Create a role in your AWS account (account where your ECR repository lives) - https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html +# e.g - IAMRole: svc.example-service-user, the role must have the same name as your service user. +# - Create a trust relationship on the role to the control account - edit your newly created role's Trust Relationship: +# https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/ +# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html. +# - Verify access to the linked account: +# aws sts get-caller-identity with the Service Account credentials +# If everything is configured correctly you need to fill in the below values and ECR repository +# access through the control-service (when deploying data job images) will go through the service account. # datajobs.aws.assumeIAMRole tells the control-service if the Service Account pattern should be used. datajobs.aws.assumeIAMRole=${DATAJOBS_AWS_ASSUME_IAM_ROLE:false} # All flags must be set if the datajobs.aws.assumeIAMRole flag is true From 5eaaf1ceba5c9596cc82a0948439b2a17aef146d Mon Sep 17 00:00:00 2001 From: Momchil Z Date: Tue, 25 Jul 2023 18:44:38 +0300 Subject: [PATCH 2/3] control-service: comments --- .../src/main/resources/application.properties | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties b/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties index aa56f7199f..257092c28c 100644 --- a/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties +++ b/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties @@ -296,7 +296,8 @@ datajobs.aws.secretAccessKey=${AWS_ACCESS_KEY_SECRET} # and secretAccessKey used by the control service. # # Necessary steps to setup Service Account: -# - Create a Service Account in Amazon (regular account that will be granted permissions to ECR repo) +# - Create a Service Account in Amazon (regular account that will be granted permissions to ECR repo) e.g: +# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console # e.g - IAM user: svc.example-service-user # - Create a role in your AWS account (account where your ECR repository lives) - https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html # e.g - IAMRole: svc.example-service-user, the role must have the same name as your service user. From 6fabc92afc337ff9e88c82a845a270fdebec51b1 Mon Sep 17 00:00:00 2001 From: mrMoZ1 Date: Mon, 20 Nov 2023 15:45:06 +0200 Subject: [PATCH 3/3] comments Signed-off-by: mrMoZ1 --- .../src/main/resources/application.properties | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties b/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties index 257092c28c..7370371867 100644 --- a/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties +++ b/projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties @@ -301,11 +301,18 @@ datajobs.aws.secretAccessKey=${AWS_ACCESS_KEY_SECRET} # e.g - IAM user: svc.example-service-user # - Create a role in your AWS account (account where your ECR repository lives) - https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html # e.g - IAMRole: svc.example-service-user, the role must have the same name as your service user. +# More information on what the example-service-user document should include can be found in the above link +# which describes the process of creating a role. # - Create a trust relationship on the role to the control account - edit your newly created role's Trust Relationship: +# This is the trust relationship in your main account which is associated with the service user. Or +# the role ARN - which is used to delegate access to resources securely. +# More information on how to create and use role ARN can be found in the below mentioned documents. # https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/ # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html. # - Verify access to the linked account: -# aws sts get-caller-identity with the Service Account credentials +# aws sts get-caller-identity with the Service Account credentials - this is the account for which +# a role was created in the main account (where the Elastic Container Repository is stored) +# Any AWS account can be created for the purpose of being a service account. # If everything is configured correctly you need to fill in the below values and ECR repository # access through the control-service (when deploying data job images) will go through the service account. # datajobs.aws.assumeIAMRole tells the control-service if the Service Account pattern should be used.