Deeploy AWS Marketplace customers have to allow the AWS marketplace to register usage of the bought container images. This integration is explained in the article below, because it isn't very well explained well in the AWS documentation. In this article, we assume you already have created an EKS cluster to which you have access.
During the creation of the EKS cluster you attached a NodeInstanceRole (IAM
role) to the cluster. You can use this IAM role in this section or create a dedicated new role.
Step 1: Attach policies to the role required by the AWS Marketplace
AWS Managed Policies:
- AWSMarketplaceMeteringRegisterUsage
Step 2: Create an IAM OIDC provider for the EKS cluster
For this step, use the Enable IAM roles for service accounts doc.
Make sure to check if the OpenID Connect Provider URL matches with your Cluster (details in EKS configuration)
aws iam list-open-id-connect-providers | grep <EXAMPLED539D4633E53DE1B716D3041E>
Step 3: Create Trusted Entity for the NodeInstance Role
For this step, use the Technical overview of IAM roles for service accounts doc.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:deeploy:*"
}
}
}
]
}
Step 4: Allow pods to assume the NodeIstance Role
Add the following annotation to the defaultandkserve-deploy Kubernetes Service Accounts in the Deeploy namespace:
<arn:aws:iam::111122223333:role/my-aws-deeploy-metering-role>
As described here.
Please make sure to check whether the ENV variables are present in the AWS managed pods.
Next, Step 7: Configure DNS
Comments
0 comments
Please sign in to leave a comment.