-
Notifications
You must be signed in to change notification settings - Fork 89
Setup Minikube as an OIDC provider for AWS
liranmauda edited this page Nov 3, 2022
·
1 revision
- Create the AWS S3 bucket for hosting the OIDC configurations
aws s3api create-bucket --bucket <oidc_bucket_name> --region <aws_region> --create-bucket-configuration LocationConstraint=<aws_region>- Note OpenID bucket url as follows:
OPENID_BUCKET_URL="https://<oidc_bucket_name>.s3.<aws_region>.amazonaws.com"
- Start Minikube with the following parameters
minikube start --extra-config=apiserver.service-account-issuer=$OPENID_BUCKET_URL --extra-config=apiserver.service-account-api-udiences=api- After minikube node has started fetch the Service Account signing public key:
minikube ssh sudo cat /var/lib/minikube/certs/sa.pub > sa-signer.pub
-
Follow the steps to create and host the OIDC config till step 8 using the retrieved public key
-
Create a Role with the Permissions required by you. Eg- “AmazonS3FullAccess”
- In trust policy add the ARN of the OIDC provider created in the previous step:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<OIDC provider ARN>/<OPENID_BUCKET_URL>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"nb-sts.s3.ap-south-1.amazonaws.com:aud": "api"
}
}
}
]
}
- Create a sample nginx deployment with the following spec
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx:alpine
name: oidc
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: oidc-token
volumes:
- name: oidc-token
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 7200
audience: api
EOF
- Fetch the Projected service account token (WEB_IDENTITY_TOKEN)
- kubectl exec nginx -- cat /var/run/secrets/tokens/oidc-token
- Use the above token to fetch STS credentials from AWS