Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure a Service Account to Assume an IAM role

SUMMARY This topic provides information about how to configure a Kubernetes service account to assume an AWS Identity and Access Management (IAM) role. This is a prerequisite for configuring VPC to CN2 communication in Juniper Cloud-Native Contrail release 23.1.

Configure a Service Account to Assume an IAM Role

CN2 release 23.1 supports the ability to access Amazon VPC networks from CN2 or EKS clusters. In order to enable this feature, you must associate a Kubernetes service account with an AWS IAM role. Since this feature creates AWS resources, the custom CN2 controllers that reside in the contrail-gsi namespace need create, read, update, and delete (CRUD) access for these resources.

In order to grant CRUD access to the custom CN2 controllers, you must configure a service account to assume an IAM role with access to the CRUD operations the controllers must perform. Follow the steps in the following Amazon Web Services link to complete this process: Configuring a Kubernetes service account to assume an IAM role.

In step 1a under the "To associate an IAM role with a Kubernetes account" section, you are prompted to create a file that includes permissions for the AWS services that you want your controller pods to access. Juniper provides the JSON file below for this purpose.

In step 2, you are prompted to create a Kubernetes service account. You can use the example service account YAML provided in the AWS article, but you must use contrail-gsi for the namespace and contrail-gsi-serviceaccount for the name of the service account.

Related Documentation