Edit on GitHub
In this guide, we will walk through the steps necessary to configure your AWS
account to be ready for integration with Crossplane. This will be done by adding
an AWS ProviderConfig resource type, which enables Crossplane to communicate with an
AWS account.
Prior to adding AWS to Crossplane, following steps need to be taken
provider-aws is installed in the same clusterkubectl is configured to communicate with the same clusteraws CLICrossplane uses AWS security credentials, and stores them as a secret which
is managed by an AWS ProviderConfig instance. In addition, the AWS default region is
also used for targeting a specific region. Crossplane requires to have aws
command line tool installed and configured. Once installed, the credentials
and configuration will reside in ~/.aws/credentials and ~/.aws/config
respectively.
aws ProviderConfigRun setup.sh to read aws credentials and region, and create an aws provider instance in Crossplane:
curl -O https://raw.githubusercontent.com/crossplane/crossplane/release-1.10/docs/snippets/configure/aws/providerconfig.yaml
curl -O https://raw.githubusercontent.com/crossplane/crossplane/release-1.10/docs/snippets/configure/aws/setup.sh
chmod +x setup.sh
./setup.sh [--profile aws_profile]
The --profile switch is optional and specifies the aws named profile that
was set in Step 1. If not provided, the default profile will be selected.
Once the script is successfully executed, Crossplane will use the specified aws account and region in the given named profile to create subsequent AWS managed resources.
You can confirm the existence of the AWS ProviderConfig by running:
kubectl get providerconfig default
An AWS user with Administrative privileges is needed to enable
Crossplane to create the required resources. Once the user is provisioned, an
Access Key needs to be created so the user can have API access.
Using the set of access key credentials for the user
with the right access, we need to install aws cli, and then configure it.
When the AWS cli is configured, the credentials and configuration will be in
~/.aws/credentials and ~/.aws/config respectively. These will be consumed in
the next step.
When configuring the AWS cli, the user credentials could be configured under a
specific AWS named profile, or under default. Without loss of generality,
in this guide let’s assume that the credentials are configured under the
aws_profile profile (which could also be default). We’ll use this profile to
setup cloud provider in the next section.
Crossplane uses the AWS user credentials that were configured in the previous
step to create resources in AWS. These credentials will be stored as a
secret in Kubernetes, and will be used by an AWS
ProviderConfig instance. The default AWS region is also pulled from the cli
configuration, and added to the AWS provider.
To store the credentials as a secret, run:
# retrieve profile's credentials, save it under 'default' profile, and base64 encode it
BASE64ENCODED_AWS_ACCOUNT_CREDS=$(echo -e "[default]\naws_access_key_id = $(aws configure get aws_access_key_id --profile $aws_profile)\naws_secret_access_key = $(aws configure get aws_secret_access_key --profile $aws_profile)" | base64 | tr -d "\n")
Next, we’ll need to create an AWS provider configuration:
cat > provider.yaml <<EOF
---
apiVersion: v1
kind: Secret
metadata:
name: aws-account-creds
namespace: crossplane-system
type: Opaque
data:
creds: ${BASE64ENCODED_AWS_ACCOUNT_CREDS}
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: aws-account-creds
key: creds
EOF
# apply it to the cluster:
kubectl apply -f "provider.yaml"
# delete the credentials variable
unset BASE64ENCODED_AWS_ACCOUNT_CREDS
The output will look like the following:
secret/aws-user-creds created
provider.aws.crossplane.io/default created
Crossplane resources use the ProviderConfig named default if no specific
ProviderConfig is specified, so this ProviderConfig will be the default for
all AWS resources.
© Crossplane Authors 2022. Documentation distributed under CC-BY-4.0.
© 2022 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.