AWS STS KMS - HackMD

# AWS STS KMS ### Cluster Admin * Add `ceph-csi-kms` to oidc provider client list `aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn <arn> --client-id "ceph-csi-kms"` --- ## Storage Admin * create/edit `csi-kms-connection-details` configmap in `openshift-storage` namespace ```yaml= apiVersion: v1 kind: ConfigMap metadata: name: csi-kms-connection-details namespace: openshift-storage data: aws-sts-metadata-test: |- { "encryptionKMSType": "aws-sts-metadata", "secretName": "tenant-aws-secret" #defaults to `ceph-csi-aws-credentials` if not specified } ``` * create storageclassclaim. ```yaml= apiVersion: ocs.openshift.io/v1alpha1 kind: StorageClassClaim metadata: name: encrypted-rbd-test namespace: kms-test spec: # type: blockpool or sharedfilesystem type: blockpool encryptionMethod: "aws-sts-metadata-test" ```` * The above step should create a similar storageclass. ```yaml= allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: openshift-storage-block parameters: # --- extra parameters for encryption --- encrypted: "true" encryptionKMSID: aws-sts-metadata-test # --- --- clusterID: openshift-storage csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage csi.storage.k8s.io/fstype: ext4 csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage imageFeatures: layering imageFormat: "2" pool: replicapool provisioner: openshift-storage.rbd.csi.ceph.com reclaimPolicy: Delete volumeBindingMode: Immediate ``` --- ## User * Create Role ```bash= $ cat policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { #<oidc_provider_arn> "Federated": "arn:aws:iam::810962211348:oidc-provider/rh-oidc-staging.s3.us-east-1.amazonaws.com/1sv48pghc3efoocivlb5b46ffl9jkg6j" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "rh-oidc-staging.s3.us-east-1.amazonaws.com/1sv48pghc3efoocivlb5b46ffl9jkg6j:aud": "ceph-csi-kms" } } } ] } $ aws iam create-role --role-name aws-sts-kms --assume-role-policy-document file://policy.json ``` - Create aws kms key ```bash= $ aws kms create-key { "KeyMetadata": { "AWSAccountId": "21231130807", "KeyId": "5af07e80-7449-4b25-8abc-d419f059176a", "Arn": "arn:aws:kms:ap-northeast-1:21231130807:key/5af07e80-7449-4b25-8abc-d419f059176a", "CreationDate": 1647252582.293, "Enabled": true, "Description": "", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": false } } ``` - Create and attach key access policy ```bash= $ cat key-policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "key", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", ], "Resource": "arn:aws:kms:ap-northeast-1:21231130807:key/5af07e80-7449-4b25-8abc-d419f059176a" } ] } $ aws iam create-policy --policy-name kms-access --policy-document file://key-policy.json { "Policy": { "PolicyName": "kms-access", "PolicyId": "ANPATZZEJESL63YY76KZM", "Arn": "arn:aws:iam::261532230807:policy/kms-access", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-03-14T10:20:10Z", "UpdateDate": "2022-03-14T10:20:10Z" } } $ aws iam a ttach-role-policy --role-name aws-sts-kms --policy-arn arn:aws:iam::261532230807:policy/kms-access ``` - create secret ```bash= $ cat ceph-csi-credentials.yaml apiVersion: v1 kind: Secret metadata: name: ceph-csi-aws-credentials stringData: awsRoleARN: arn:aws:iam:ap-northeast-1:21231130807:role/aws-sts-kms awsCMKARN: arn:aws:kms:ap-northeast-1:21231130807:key/5af07e80-7449-4b25-8abc-d419f059176a awsRegion: ap-northeast-1 $ kubectl apply -f ceph-csi-credentials.yaml secret/ceph-csi-aws-credentials created ``` - create PVC

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.