When running Hopsworks in Amazon EKS you have several options to give the Hopsworks user access to AWS resources. The simplest is to assign Amazon EKS node IAM role access to the resources. But, this will make these resources accessible by all users. To manage access to resources on a project base you need to use Role chaining.
In this document we will see how to configure AWS and Hopsworks to use Role chaining in your Hopsworks projects.
Before you begin this guide you'll need the following:
- A Hopsworks cluster running on EKS.
- Enabled IAM OpenID Connect (OIDC) provider for your cluster.
- Administrator account on the Hopsworks cluster.
To use role chaining the hopsworks instance pods need to be able to impersonate the roles you want to be linked to your project. For this you need to create an IAM role and associate it with your Kubernetes service accounts with assume role permissions and attach it to your hopsworks instance pods. For more details on how to create an IAM roles for Kubernetes service accounts see the aws documentation.
!!!note To ensure that users can't use the service account role and impersonate the roles by their own means, you need to ensure that the service account is only attached to the hopsworks instance pods.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"$oidc_provider:aud": "sts.amazonaws.com",
"$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeDataRoles",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::123456789011:role/my-role",
"arn:aws:iam::xxxxxxxxxxxx:role/s3-role",
"arn:aws:iam::xxxxxxxxxxxx:role/dev-s3-role",
"arn:aws:iam::xxxxxxxxxxxx:role/redshift"
]
}
]
}The IAM role will need to add a trust policy to allow the service account to assume the role, and permissions to assume the different roles that will be used to access resources.
To associate the IAM role with your Kubernetes service account you will need to annotate your service account with the Amazon Resource Name (ARN) of the IAM role that you want the service account to assume.
kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn=arn:aws:iam::$account_id:role/my-roleFor the service account role to be able to impersonate the roles you also need to configure the roles themselves to allow it. This is done by adding the service account role to the role's Trust relationships.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:role/service-account-role"
},
"Action": "sts:AssumeRole"
}
]
}Now that the service account IAM role can assume the roles we need to configure Hopsworks to delegate access to the roles on a project base.
In Hopsworks, click on your name in the top right corner of the navigation bar and choose Cluster Settings from the dropdown menu. In the Cluster Settings' IAM Role Chaining tab you can configure the mappings between projects and IAM roles.
Add mappings by clicking on New role chaining. Enter the project name. Select the type of user that can assume the role. Enter the role ARN. And click on Create new role chaining
Project member can now create connectors using temporary credentials to assume the role you configured. More detail about using temporary credentials can be found here.
Project member can see the list of role they can assume by going the Project Settings -> Assuming IAM Roles page.