$ curl --create-dirs -o <credrequests-dir>/operator.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
You can install the AWS Load Balancer (ALB) Operator on a Security Token Service (STS) cluster.
The ALB Operator relies on a CredentialsRequest
to bootstrap the Operator and for the AWSLoadBalancerController
instance. The ALB Operator waits until the required secrets are created and available.
An additional IAM role is required to successfully install the ALB Operator on a Security Token Service (STS) cluster. The IAM role is required to interact with subnets and Virtual Private Clouds (VPCs). The Operator generates a CredentialsRequest
with this role to bootstrap itself.
There are two options for creating the IAM role:
Using ccoctl
and a predefined CredentialsRequest
.
Using the AWS CLI and predefined AWS manifests.
Use the AWS CLI if your environment does not support the ccoctl
command.
You can use the ccoctl
binary to create an IAM role for the AWS Load Balancer (ALB) Operator. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
You must extract and prepare the ccoctl
binary.
Download the CredentialsRequest
custom resource (CR) of the ALB Operator and create a directory to store it in by running the following command:
$ curl --create-dirs -o <credrequests-dir>/operator.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
Use ccoctl
to create an IAM role by running the following command:
$ ccoctl aws create-iam-roles \
--name <name> \
--region=<aws_region> \
--credentials-requests-dir=<credrequests-dir> \
--identity-provider-arn <oidc-arn>
2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator created (1)
2023/09/12 11:38:57 Saved credentials configuration to: /home/user/<credrequests-dir>/manifests/aws-load-balancer-operator-aws-load-balancer-operator-credentials.yaml
2023/09/12 11:38:58 Updated Role policy for Role <name>-aws-load-balancer-operator-aws-load-balancer-operator created
1 | Note the ARN of the created IAM role. |
The length of the role name must be less than or equal to 12 characters. |
You can use the aws
command line interface to create an IAM role for the AWS Load Balancer (ALB) Operator. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
You must have access to the aws
command line interface.
Generate a trust policy file using your identity provider by running the following command:
$ cat <<EOF > albo-operator-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" (1)
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" (2)
}
}
}
]
}
EOF
1 | Specifies the ARN of the identity provider. |
2 | Specifies the service account for the Operator. |
Create the IAM role with the generated trust policy by running the following command:
$ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
ROLE arn:aws:iam::777777777777:role/albo-operator 2023-08-02T12:13:22Z (1)
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
STATEMENT sts:AssumeRoleWithWebIdentity Allow
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager
PRINCIPAL arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
1 | Note the ARN of the created IAM role. |
Download the permission policy for the ALB Operator by running the following command:
$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
Attach the permission policy for the AWSLoadBalancerController
to the IAM role by running the following command:
$ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
The role Amazon Resource Name (ARN) needs to be passed to the AWS Load Balancer (ALB) Operator as an environment variable. You can use the dedicated input box in the OperatorHub web UI or specify it in the Subscription
resource when installing the Operator by using the OpenShift CLI.
You have installed the OpenShift CLI (oc
).
Create the aws-load-balancer-operator
project by running the following command:
$ oc new-project aws-load-balancer-operator
Create an OperatorGroup
for the ALB Operator by running the following command:
$ cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: aws-load-balancer-operator
namespace: aws-load-balancer-operator
spec:
targetNamespaces: []
EOF
Create a Subscription
object for the ALB Operator with the role ARN by running the following command:
$ cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: aws-load-balancer-operator
namespace: aws-load-balancer-operator
spec:
channel: stable-v1
name: aws-load-balancer-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
config:
env:
- name: ROLEARN
value: "<role-arn>" (1)
EOF
1 | Specifies the role ARN to be used in the CredentialsRequest to provision the AWS credentials for the Operator. |
The ALB Operator waits until the creation of the required secret before moving to the available state. |
The CredentialsRequest
for the AWS Load Balancer Controller must be set with a manually provisioned IAM role.
There are two options for creating the IAM role:
Using ccoctl
and a predefined CredentialsRequest
.
Using the AWS CLI and predefined AWS manifests.
Use the AWS CLI if your environment does not support the ccoctl
command.
You can use the ccoctl
binary to create an IAM role for the AWSLoadBalancerController
. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
You must extract and prepare the ccoctl
binary.
Download the CredentialsRequest
custom resource (CR) of the AWS Load Balancer Operator and create a directory to store it in by running the following command:
$ curl --create-dirs -o <credrequests-dir>/controller.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
Use ccoctl
to create an IAM role by running the following command:
$ ccoctl aws create-iam-roles \
--name <name> \
--region=<aws_region> \
--credentials-requests-dir=<credrequests-dir> \
--identity-provider-arn <oidc-arn>
2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller created (1)
2023/09/12 11:38:57 Saved credentials configuration to: /home/user/<credrequests-dir>/manifests/aws-load-balancer-operator-aws-load-balancer-controller-credentials.yaml
2023/09/12 11:38:58 Updated Role policy for Role <name>-aws-load-balancer-operator-aws-load-balancer-controller created
1 | Note the ARN of the created IAM role. |
The length of the role name must be less than or equal to 12 characters. |
You can use the aws
command line interface to create an IAM role for the AWSLoadBalancerController
. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
You must have access to the aws
command line interface.
Generate a trust policy file using your identity provider by running the following command:
$ cat <<EOF > albo-controller-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" (1)
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" (2)
}
}
}
]
}
EOF
1 | Specifies the ARN of the identity provider. |
2 | Specifies the service account for the AWSLoadBalancerController . |
Create the IAM role with the generated trust policy by running the following command:
$ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
ROLE arn:aws:iam::777777777777:role/albo-controller 2023-08-02T12:13:22Z (1)
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
STATEMENT sts:AssumeRoleWithWebIdentity Allow
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster
PRINCIPAL arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
1 | Note the ARN of the created IAM role. |
Download the permission policy for the AWSLoadBalancerController
by running the following command:
$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
Attach the permission policy for the AWSLoadBalancerController
to the IAM role by running the following command:
$ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
Create an AWSLoadBalancerController
resource file named example-sts-iam-role.yaml
with contents such as the following example:
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController (1)
metadata:
name: cluster (2)
spec:
credentialsRequestConfig:
stsIAMRoleARN: <role-arn> (3)
1 | Defines the AWSLoadBalancerController resource. |
2 | Defines the instance name for the AWSLoadBalancerController . All related resources use this instance name as a suffix. |
3 | Specifies the role ARN to be used in a CredentialsRequest to provision the AWS credentials for the controller. |