forked from awslabs/kubeflow-manifests
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add documentation about creating Pipeline Profiles (awslabs#700)
**Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** Add information about how to create Profiles that use IRSA and have correct s3 bucket access for Pipelines. **Testing:** - [ ] Unit tests pass - [ ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
- Loading branch information
1 parent
b1d5e1d
commit 6c8dfa0
Showing
7 changed files
with
157 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
website/content/en/docs/deployment/create-profiles-with-iam-role.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
+++ | ||
title = "Create Profiles with IAM role" | ||
description = "Use AWS IAM roles for service accounts with Kubeflow Profiles" | ||
weight = 70 | ||
+++ | ||
|
||
In a multi tenant Kubeflow installation, the pods created by pipelines workflow and the pipelines frontend services run in an user profile namespace. The service account (`default-editor`) used for these pods needs permissions for the S3 bucket used by pipelines to read and write artifacts from S3. When using IRSA (IAM roles for service accounts) as your `PIPELINE_S3_CREDENTIAL_OPTION`, any additional profiles created as part of a multi-user deployment besides the preconfigured `kubeflow-user-example-com` will need to be configured with permissions to S3 bucket using IRSA. | ||
|
||
The `default-editor` SA needs to be annotated with an IAM role with sufficient permissions to access your S3 Bucket to run your pipelines. In the below steps we will be configuring a profile an IAM role with restricted access to a specific S3 Bucket using the `AwsIamForServiceAccount` plugin for Profiles. To learn more about the `AwsIamForServiceAccount` plugin for Profiles read the [Profiles component guide]({{< ref "/docs/component-guides/profiles.md" >}}). | ||
|
||
> Note: If you choose to run your pipeline with a service account other than the default which is `default-editor`, you must make sure to annotate that service account with an IAM role with sufficient S3 permissions. | ||
## Create a Profile | ||
|
||
After installing Kubeflow on AWS with one of the available [deployment options]({{< ref "/docs/deployment" >}}), you can configure Kubeflow Profiles with the following steps: | ||
|
||
1. Define the following environment variables: | ||
|
||
The `S3_BUCKET` that is exported should be the same bucket that is used by Kubeflow Pipelines. | ||
```bash | ||
# Your cluster name | ||
export CLUSTER_NAME= | ||
# Your cluster region | ||
export CLUSTER_REGION= | ||
# The S3 Bucket that is used by Kubeflow Pipelines | ||
export S3_BUCKET= | ||
# Your AWS Acconut ID | ||
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) | ||
# Name of the profile to create | ||
export PROFILE_NAME= | ||
``` | ||
2. Retrieve OIDC Provider URL | ||
|
||
```bash | ||
aws --region $CLUSTER_REGION eks update-kubeconfig --name $CLUSTER_NAME | ||
|
||
export OIDC_URL=$(aws eks describe-cluster --region $CLUSTER_REGION --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | cut -c9-) | ||
``` | ||
|
||
3. Create an IAM trust policy to authorize federated requests from the OIDC provider. | ||
|
||
```bash | ||
|
||
cat <<EOF > trust.json | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_URL}" | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"StringEquals": { | ||
"${OIDC_URL}:aud": "sts.amazonaws.com", | ||
"${OIDC_URL}:sub": "system:serviceaccount:kubeflow-user-example-com:default-editor" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
EOF | ||
``` | ||
4. [Create an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) with access to the S3 bucket where pipeline artifacts will be stored. The following policy grants full access to the S3 bucket, you can scope it down by giving read, write and GetBucketLocation permissions. | ||
```bash | ||
printf '{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": "s3:*", | ||
"Resource": [ | ||
"arn:aws:s3:::${S3_BUCKET}", | ||
"arn:aws:s3::::${S3_BUCKET}/*" | ||
] | ||
} | ||
] | ||
} | ||
' > ./s3_policy.json | ||
``` | ||
5. [Create an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) for the Profile using the scoped policy from the previous step. | ||
```bash | ||
aws iam create-role --role-name $PROFILE_NAME-$CLUSTER_NAME-role --assume-role-policy-document file://trust.json | ||
aws --region $CLUSTER_REGION iam put-role-policy --role-name $PROFILE_NAME-$CLUSTER_NAME-role --policy-name kf-$PROFILE_NAME-pipeline-s3 --policy-document file://s3_policy.json | ||
``` | ||
6. Create a user in your configured auth provider (e.g. Cognito or Dex). | ||
Export the user as an environment variable. | ||
```bash | ||
export PROFILE_USER="" | ||
``` | ||
7. Create a Profile using the `PROFILE_NAME`. | ||
> Note: annotateOnly has been set to true. This means that the Profile Controller will not mutate your IAM Role and Policy. | ||
```bash | ||
cat <<EOF > profile_iam.yaml | ||
apiVersion: kubeflow.org/v1 | ||
kind: Profile | ||
metadata: | ||
name: ${PROFILE_NAME} | ||
spec: | ||
owner: | ||
kind: User | ||
name: ${PROFILE_USER} | ||
plugins: | ||
- kind: AwsIamForServiceAccount | ||
spec: | ||
awsIamRole: $(aws iam get-role --role-name $PROFILE_NAME-$CLUSTER_NAME-role --output text --query 'Role.Arn') | ||
annotateOnly: true | ||
EOF | ||
kubectl apply -f profile_iam.yaml | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file modified
BIN
-12.3 KB
(91%)
website/content/en/docs/images/cognito/cognito-user-pool-created.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.