aws iam create-user --user-name user
Shell
복사
cat <<EOF> user-role-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "eks.amazonaws.com"
}
}
}
]
}
EOF
Shell
복사
POLICY_ARN=$(aws iam create-policy --policy-name user-policy --policy-document file://user-role-policy.json --query "Policy.Arn" --output text)
Shell
복사
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
Shell
복사
cat <<EOF> user-assume-role.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::$ACCOUNT_ID:user/user",
"arn:aws:iam::$ACCOUNT_ID:role/wsi-control-plane-role"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
Shell
복사
ROLE_ARN=$(aws iam create-role --role-name user --assume-role-policy-document file://user-assume-role.json --query "Role.Arn" --output text)
Shell
복사
aws iam attach-role-policy --role-name user --policy-arn $POLICY_ARN
Shell
복사
aws iam create-access-key --user-name user
# 아래의 예시
{
"AccessKey": {
"UserName": "user",
"AccessKeyId": "AKIA2M55O2MCSYGBPLPA",
"Status": "Active",
"SecretAccessKey": "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",
"CreateDate": "2024-07-12T04:45:29+00:00"
}
}
Shell
복사
aws configure --profile user
Shell
복사
aws sts assume-role --role-arn $ROLE_ARN --role-session-name user-session --profile user
# 아래의 예시
{
"Credentials": {
"AccessKeyId": "ASIA2M55O2MC5YH47POI",
"SecretAccessKey": "OB1uHw0EH9o5JYX+aCFlJnu5EZucAR2C1df7aMHZ",
"SessionToken": "IQoJb3JpZ2luX2VjEKX//////////wEaDmFwLW5vcnRoZWFzdC0yIkcwRQIgQxut1SmdeE1j6DyL1vHnZtjaKfVmV2dbgfBiz/0s1tsCIQDuRHA7ASMO5Vmjsyxaqo5QhQzHdZM2W2xCYtOCS1zBfCqZAghuEAEaDDcxNDk3MjUxNzEyNSIM2kOLHw1pUVOHciBgKvYBGkmtLJzi1o1kC0qt8BrLPG6J09iWw79A6uSfZiCnBzgKZSholtTbDtCs2NreLUWnbQxl4qb/NStCAjP2wK8VbCN5Tii1dXvQurPVuqhwKgyGmKAF5HCY4XS8ZnRpdfYp8HXsVD8nsWHXShxR9w4bHGORC21J0yNFhtJcHeauA75mfVyEV1jKVP8mphBvRr6mA6O5cLdM61pon+jQVue6zGSJlUWTtAwVpB3QkZj2Fix7y70NS0jewc7JOlixmrxyojj54vM02EWk/5yS1nfew+pEybDpoaT2ymzROizFyLdzyiUefJgBGVRqDj9SHYkS78GiQTCgMOHvwrQGOp0BSIhr14ftwOEuWJM5EEbgZr4BVU931sIXZrGtKTSzFswUPF51tF4Lw9FTbc5JzXZUifRtecwcn36lOo4u2Yiur5OZsQwoP034dkNzUAMqOmehHGhVGylId583k3pF8pY6UwStt+3R4RM4TEAxOStiVMpFJfAbbNGVpNVjrdYqSx9wS3UwoRMPh7JMhwWlPEw6V7qMOmkYWv7neOUFrA==",
"Expiration": "2024-07-12T05:58:09+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROA2M55O2MCQMOLWDRJD:user-session",
"Arn": "arn:aws:sts::714972517125:assumed-role/user/user-session"
}
}
Shell
복사
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: user-role
namespace: skills
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["list", "get", "describe", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user-rolebinding
namespace: skills
subjects:
- kind: Group
name: user
roleRef:
kind: Role
name: user-role
apiGroup: rbac.authorization.k8s.io
YAML
복사
kubectl apply -f user-rbac.yaml
Shell
복사
eksctl create iamidentitymapping --cluster wsi-cluster --arn $ROLE_ARN --group user --username user
Shell
복사
CONTROL_PLANE_PRIVATE_IP=$(aws ec2 describe-instances --filter Name=tag:Name,Values=wsi-control-plane --query "Reservations[].Instances[].PrivateIpAddress" --output text)
Shell
복사
ssh user@$CONTROL_PLANE_PRIVATE_IP -p 3817
Shell
복사
aws configure
AWS Access Key ID [None]: <user Assume Access key>
AWS Secret Access Key [None]: <user Assume Secret Access key>
Default region name [None]: ap-northeast-2
Default output format [None]: json
Shell
복사
vim ~/.aws/credentials
aws_security_token = <user Assume SesstionToken>
Shell
복사
aws sts get-caller-identity
{
"UserId": "AROA2M55O2MCQMOLWDRJD:user-session",
"Account": "714972517125",
"Arn": "arn:aws:sts::714972517125:assumed-role/user/user-session"
}
Shell
복사
aws eks --region ap-northeast-2 update-kubeconfig --name wsi-cluster
Shell
복사
skills namespace 파드 조회만 가능
