What are the steps for adding an AWS IAM user group/role as owner to Capsule tenant

[kgphani]

Hi,

I am beginner to Capsule framework. Have installed capsule on AWS EKS cluster. Was able to create a tenant with an IAM user with "Describe Cluster" permissions as tenant owner.

Need your help on the steps for adding an AWS IAM user group or a IAM role as owner to Capsule tenant.

Thanks and Regards,
Phani Krishna

[prometherion]

Hey, we have a section explaining how Capsule integrates with AWS EKS.

Exactly, what's missing from there?

If you're not familiar with eksctl, I produced this video explaining step-by-step how to map AWS users using the AWS console.

Please, share exactly what steps you consider are missing, or rather, which are wrong or not working.

[kgphani]

Verified accessing Capsule installed in EKS in below two ways. First approach was successful. Need your help on the steps for adding an AWS IAM user group or a IAM role as owner (instead of IAM User) to Capsule tenant. Please review the steps followed by me (second approach).

Using IAM user with EKS read permissions + tenant owner

• Create a user group with describe cluster policies
• Create an IAM user and add to the user group
• Map the IAM user & group under mapUsers in aws-auth of kubeconfig
• Change profile to EKS admin and create tenant with IAM user as tenant owner
• Change profile to tenant owner and create namespace

Outcome:

• With describe privileges, tenant owner is not able to perform any operation on the EKS cluster.
• But as an tenant owner, user can create new namespaces
• Created a new namespace. The namespace is getting added under the newly created tenant

Using an IAM Role with assumed trust identity

• Create an IAM role (with EKS admin access & IAM pass role policy).
• Create assumed role policy
• Create IAM user and attach assume role policy (whose credentials will used when the eks admin profile role is loaded)
• Map the service role arn & other details in mapRoles section in aws-auth of kubeconfig
• Update the configurations file (~/.aws/config) with the role arn & trusted IAM as support profile

Outcome:

• Able to access EKS cluster with profile as EKS role
• Able to perform all the operations on the EKS cluster.
• As a super admin, created tenant owner with “role name”
• Log with role profile.
• Create a new namespace. But creation of a new namespace is not mapped under tenant created but added to the default. Namespace count shown as zero under tenant, but listed when "kubectl get ns" command is given

[prometherion]

Unfortunately, I don't know how can I help you with the second use-case.

I'll try to gather some experts to cope with it.