Skip to content

chore(docs): document IRSA requirements for ECR #703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 10, 2021
Merged

chore(docs): document IRSA requirements for ECR #703

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c043962
chore(docs): document IRSA requirements for ECR
johnstcn Nov 10, 2021
b1a55a2
fixup! chore(docs): document IRSA requirements for ECR
johnstcn Nov 10, 2021
cbdd726
edit text
Nov 10, 2021
5d8690c
fix conflict
Nov 10, 2021
cf80e45
edit text
Nov 10, 2021
b2340fa
lint
Nov 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 112 additions & 25 deletions admin/registries/ecr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,41 +6,126 @@ description: Add a private Amazon ECR to Coder.
This article will show you how to add your private ECR to Coder. If you're using
a public ECR registry, you do not need to follow the steps below.

Amazon requires users to [request temporary login credentials to access a
private Elastic Container Registry (ECR)
registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html).
When interacting with ECR, Coder will request temporary credentials from the
registry using the AWS credentials linked to the registry.
Amazon requires users to
[request temporary login credentials](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
to access a private Elastic Container Registry (ECR) registry. When interacting
with ECR, Coder will request temporary credentials from the registry using the
AWS credentials linked to the registry.

## Step 1: Setting up your AWS credentials
## Step 1: Setting up authentication for Coder

To access a private ECR registry, Coder needs AWS credentials (specifically your
**access key ID** and **secret access key**) with authorization to access the
provided registry. You can either use AWS credentials tied to your own AWS
account *or* credentials tied to an IAM user specifically for Coder (we
recommend the latter option).
To access a private ECR registry, Coder needs to authenticate with AWS. Coder
supports two methods of authentication with AWS ECR:

Note that you are not limited to providing one single set of AWS credentials.
For example, you can use a set of credentials with access to all of your ECR
repositories, or you can use individual sets of credentials, each with access to
a single repository.
- Static credentials
- IAM roles for service accounts

To provision AWS credentials for Coder:
### Option A: Provision static credentials for Coder

1. **Optional:** [Create an IAM user for
Coder](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
You can use an **Access Key ID** and **Secret Access Key** tied to either your
own AWS account _or_ credentials tied to a dedicated IAM user (we recommend the
latter option).

> You are not limited to providing a single set of AWS credentials. For example,
> you can use a set of credentials with access to all of your ECR repositories,
> or you can use individual sets of credentials, each with access to a single
> repository.

To provision static credentials for Coder:

1. **Optional:**
[Create an IAM user for Coder](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
to access ECR. You can either attach the AWS-managed policy
`AmazonEC2ContainerRegistryReadOnly` to the user, or you can [create your
own](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html).
`AmazonEC2ContainerRegistryReadOnly` to the user, or you can
[create your own](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html).

1. [Create an access
key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
1. [Create an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
for the IAM user to be used with Coder (if one does not already exist).

### Option B: Link an AWS IAM role to the Coder Kubernetes service account (IRSA)

Coder can use an
[IAM role linked to Coder's Kubernetes service account](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/),
though this is only supported when Coder is running in AWS EKS. This is because
the
[EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook/)
is required to provision and inject the required token into the `coderd` pod.

> For more information on IAM Roles for Service Accounts (IRSA), please consult
> the
> [AWS Documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).

To link an IAM role to Coder's Kubernetes service account:

1. Create an IAM OIDC Provider for your EKS cluster (if it does not already
exist).

1. [Create the IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html#create-service-account-iam-role)
to be used by Coder, if it does not already exist.

**Note:** Ensure that you also create and attach a trust policy that permits
the Coder service account the action `sts:AssumeRoleWithWebIdentity`. The
trust policy will look similar to the following:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT}"
}
}
}
]
}
```

1. Annotate the Coder service account with the role ARN:

a) Add the following to your `values.yaml` for your Coder helm deployment:

```yaml
coderd:
...
builtinProviderServiceAccount:
...
annotations:
eks.amazonaws.com/role-arn: my-role-arn
```

b) Update the Helm deployment:

```shell
helm upgrade coder coder/coder --values values.yaml
```

c) Verify that the Coder service account now has the correct annotation:

```shell
kubectl get serviceaccount coder -o yaml | grep eks.amazonaws.com/role-arn
eks.amazonaws.com/role-arn: my-role-arn
```

1. Validate that pods created with the `coder` service account have permission
to assume the role:

```shell
kubectl run -it --rm awscli --image=amazon/aws-cli \
--overrides='{"spec":{"serviceAccount":"coder"}}' \
--command aws ecr describe-repositories
```

## Step 2: Add your private ECR registry to Coder

You can add your private ECR registry at the same time that you [add your
images](../../images/index.md). To import an image:
You can add your private ECR registry at the same time that you
[add your images](../../images/index.md). To import an image:

1. In Coder, go to **Images** and click on **Import Image** in the upper-right.

Expand All @@ -51,7 +136,9 @@ images](../../images/index.md). To import an image:
1. Provide a **registry name** and the **registry**.

1. Set the **registry kind** to **ECR** and provide your **Access Key ID** and
**Secret Access Key**.
**Secret Access Key**, if required. If you want to use IRSA instead of static
credentials, to authenticate with ECR, leave **Access Key ID** and **Secret
Access Key** blank.

1. Continue with the process of [adding your image](../../images/index.md).

Expand Down