From 65a3d40a6351ecee5bac88c40c2748901c668a2d Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 16 Nov 2021 14:16:02 +0000 Subject: [PATCH 1/4] correct(docs): label IRSA authentication as alpha --- admin/registries/ecr.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/admin/registries/ecr.md b/admin/registries/ecr.md index 8d6976548..9b45b9526 100644 --- a/admin/registries/ecr.md +++ b/admin/registries/ecr.md @@ -18,7 +18,7 @@ To access a private ECR registry, Coder needs to authenticate with AWS. Coder supports two methods of authentication with AWS ECR: - Static credentials -- IAM roles for service accounts +- IAM roles for service accounts (`alpha`) ### Option A: Provision static credentials for Coder @@ -44,6 +44,8 @@ To provision static credentials for Coder: ### Option B: Link an AWS IAM role to the Coder Kubernetes service account (IRSA) +**Note:** This is currently an `alpha` feature. + Coder can use an [IAM role linked to Coder's Kubernetes service account](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), though this is only supported when Coder is running in AWS EKS. This is because @@ -57,6 +59,9 @@ is required to provision and inject the required token into the `coderd` pod. To link an IAM role to Coder's Kubernetes service account: +1. Enable the feature under Admin > Infrastructure > ECR IAM Role + Authentication. + 1. Create an IAM OIDC Provider for your EKS cluster (if it does not already exist). From b812e4dc7f8cb0cca7acb142f34bc97eec9d012c Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 16 Nov 2021 14:19:36 +0000 Subject: [PATCH 2/4] bump gh actions after changing pr base From dc7d36dce60997ce222ac6c6201bb417690024a0 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 16 Nov 2021 14:22:34 +0000 Subject: [PATCH 3/4] fixup! correct(docs): label IRSA authentication as alpha --- admin/registries/ecr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin/registries/ecr.md b/admin/registries/ecr.md index 9b45b9526..78d0eebf3 100644 --- a/admin/registries/ecr.md +++ b/admin/registries/ecr.md @@ -59,7 +59,7 @@ is required to provision and inject the required token into the `coderd` pod. To link an IAM role to Coder's Kubernetes service account: -1. Enable the feature under Admin > Infrastructure > ECR IAM Role +1. Enable the feature under Manage > Admin > Infrastructure > ECR IAM Role Authentication. 1. Create an IAM OIDC Provider for your EKS cluster (if it does not already From bc6adc950c93eb658bcb3fc23b939e51264a6bdc Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Tue, 16 Nov 2021 08:27:08 -0600 Subject: [PATCH 4/4] Update ecr.md --- admin/registries/ecr.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin/registries/ecr.md b/admin/registries/ecr.md index 78d0eebf3..26256e2eb 100644 --- a/admin/registries/ecr.md +++ b/admin/registries/ecr.md @@ -18,7 +18,7 @@ To access a private ECR registry, Coder needs to authenticate with AWS. Coder supports two methods of authentication with AWS ECR: - Static credentials -- IAM roles for service accounts (`alpha`) +- **Alpha:** IAM roles for service accounts ### Option A: Provision static credentials for Coder @@ -44,7 +44,7 @@ To provision static credentials for Coder: ### Option B: Link an AWS IAM role to the Coder Kubernetes service account (IRSA) -**Note:** This is currently an `alpha` feature. +**Note:** This is currently an **alpha** feature. Coder can use an [IAM role linked to Coder's Kubernetes service account](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/),