×

You can install the AWS Load Balancer (ALB) Operator on a Security Token Service (STS) cluster.

The ALB Operator relies on a CredentialsRequest to bootstrap the Operator and for the AWSLoadBalancerController instance. The ALB Operator waits until the required secrets are created and available.

Creating an IAM role for the AWS Load Balancer Operator

An additional IAM role is required to successfully install the ALB Operator on a Security Token Service (STS) cluster. The IAM role is required to interact with subnets and Virtual Private Clouds (VPCs). The Operator generates a CredentialsRequest with this role to bootstrap itself.

There are two options for creating the IAM role:

  • Using ccoctl and a predefined CredentialsRequest.

  • Using the AWS CLI and predefined AWS manifests.

Use the AWS CLI if your environment does not support the ccoctl command.

Using ccoctl to create an IAM role for the Operator

You can use the ccoctl binary to create an IAM role for the AWS Load Balancer (ALB) Operator. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).

Prerequisites
  • You must extract and prepare the ccoctl binary.

Procedure
  1. Download the CredentialsRequest custom resource (CR) of the ALB Operator and create a directory to store it in by running the following command:

    $ curl --create-dirs -o <credrequests-dir>/operator.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
  2. Use ccoctl to create an IAM role by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <name> \
        --region=<aws_region> \
        --credentials-requests-dir=<credrequests-dir> \
        --identity-provider-arn <oidc-arn>
    Example output
    2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator created (1)
    2023/09/12 11:38:57 Saved credentials configuration to: /home/user/<credrequests-dir>/manifests/aws-load-balancer-operator-aws-load-balancer-operator-credentials.yaml
    2023/09/12 11:38:58 Updated Role policy for Role <name>-aws-load-balancer-operator-aws-load-balancer-operator created
    1 Note the ARN of the created IAM role.

    The length of the role name must be less than or equal to 12 characters.

Using the AWS CLI to create an IAM role for the Operator

You can use the aws command line interface to create an IAM role for the AWS Load Balancer (ALB) Operator. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).

Prerequisites
  • You must have access to the aws command line interface.

Procedure
  1. Generate a trust policy file using your identity provider by running the following command:

    $ cat <<EOF > albo-operator-trust-policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" (1)
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" (2)
                    }
                }
            }
        ]
    }
    EOF
    1 Specifies the ARN of the identity provider.
    2 Specifies the service account for the Operator.
  2. Create the IAM role with the generated trust policy by running the following command:

    $ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
    Example output
    ROLE	arn:aws:iam::777777777777:role/albo-operator	2023-08-02T12:13:22Z (1)
    ASSUMEROLEPOLICYDOCUMENT	2012-10-17
    STATEMENT	sts:AssumeRoleWithWebIdentity	Allow
    STRINGEQUALS	system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager
    PRINCIPAL	arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
    1 Note the ARN of the created IAM role.
  3. Download the permission policy for the ALB Operator by running the following command:

    $ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
  4. Attach the permission policy for the AWSLoadBalancerController to the IAM role by running the following command:

    $ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json

Specifying the role ARN for the ALB Operator on an STS cluster

The role Amazon Resource Name (ARN) needs to be passed to the AWS Load Balancer (ALB) Operator as an environment variable. You can use the dedicated input box in the OperatorHub web UI or specify it in the Subscription resource when installing the Operator by using the OpenShift CLI.

Prerequisites
  • You have installed the OpenShift CLI (oc).

Procedure
  1. Create the aws-load-balancer-operator project by running the following command:

    $ oc new-project aws-load-balancer-operator
  2. Create an OperatorGroup for the ALB Operator by running the following command:

    $ cat <<EOF | oc apply -f -
    apiVersion: operators.coreos.com/v1
    kind: OperatorGroup
    metadata:
      name: aws-load-balancer-operator
      namespace: aws-load-balancer-operator
    spec:
      targetNamespaces: []
    EOF
  3. Create a Subscription object for the ALB Operator with the role ARN by running the following command:

    $ cat <<EOF | oc apply -f -
    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: aws-load-balancer-operator
      namespace: aws-load-balancer-operator
    spec:
      channel: stable-v1
      name: aws-load-balancer-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
      config:
        env:
        - name: ROLEARN
          value: "<role-arn>" (1)
    EOF
    1 Specifies the role ARN to be used in the CredentialsRequest to provision the AWS credentials for the Operator.

    The ALB Operator waits until the creation of the required secret before moving to the available state.

Creating an IAM role for the AWS Load Balancer Controller

The CredentialsRequest for the AWS Load Balancer Controller must be set with a manually provisioned IAM role.

There are two options for creating the IAM role:

  • Using ccoctl and a predefined CredentialsRequest.

  • Using the AWS CLI and predefined AWS manifests.

Use the AWS CLI if your environment does not support the ccoctl command.

Using ccoctl to create an IAM role for the Controller

You can use the ccoctl binary to create an IAM role for the AWSLoadBalancerController. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).

Prerequisites
  • You must extract and prepare the ccoctl binary.

Procedure
  1. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator and create a directory to store it in by running the following command:

    $ curl --create-dirs -o <credrequests-dir>/controller.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
  2. Use ccoctl to create an IAM role by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <name> \
        --region=<aws_region> \
        --credentials-requests-dir=<credrequests-dir> \
        --identity-provider-arn <oidc-arn>
    Example output
    2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller created (1)
    2023/09/12 11:38:57 Saved credentials configuration to: /home/user/<credrequests-dir>/manifests/aws-load-balancer-operator-aws-load-balancer-controller-credentials.yaml
    2023/09/12 11:38:58 Updated Role policy for Role <name>-aws-load-balancer-operator-aws-load-balancer-controller created
    1 Note the ARN of the created IAM role.

    The length of the role name must be less than or equal to 12 characters.

Using the AWS CLI to create an IAM role for the Controller

You can use the aws command line interface to create an IAM role for the AWSLoadBalancerController. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).

Prerequisites
  • You must have access to the aws command line interface.

Procedure
  1. Generate a trust policy file using your identity provider by running the following command:

    $ cat <<EOF > albo-controller-trust-policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" (1)
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" (2)
                    }
                }
            }
        ]
    }
    EOF
    1 Specifies the ARN of the identity provider.
    2 Specifies the service account for the AWSLoadBalancerController.
  2. Create the IAM role with the generated trust policy by running the following command:

    $ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
    Example output
    ROLE	arn:aws:iam::777777777777:role/albo-controller	2023-08-02T12:13:22Z (1)
    ASSUMEROLEPOLICYDOCUMENT	2012-10-17
    STATEMENT	sts:AssumeRoleWithWebIdentity	Allow
    STRINGEQUALS	system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster
    PRINCIPAL	arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
    1 Note the ARN of the created IAM role.
  3. Download the permission policy for the AWSLoadBalancerController by running the following command:

    $ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
  4. Attach the permission policy for the AWSLoadBalancerController to the IAM role by running the following command:

    $ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
  5. Create an AWSLoadBalancerController resource file named example-sts-iam-role.yaml with contents such as the following example:

    apiVersion: networking.olm.openshift.io/v1
    kind: AWSLoadBalancerController (1)
    metadata:
      name: cluster (2)
    spec:
      credentialsRequestConfig:
        stsIAMRoleARN: <role-arn> (3)
    1 Defines the AWSLoadBalancerController resource.
    2 Defines the instance name for the AWSLoadBalancerController. All related resources use this instance name as a suffix.
    3 Specifies the role ARN to be used in a CredentialsRequest to provision the AWS credentials for the controller.