From 4a8a4f248f6e26483b99662618b11434f0a5bf1e Mon Sep 17 00:00:00 2001 From: Kausik Date: Mon, 22 May 2023 16:05:56 -0700 Subject: [PATCH] IAM role to your EKS service account using IRSA --- .../container-insights/eks-prometheus.mdx | 39 ++++++++++++------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/src/docs/getting-started/container-insights/eks-prometheus.mdx b/src/docs/getting-started/container-insights/eks-prometheus.mdx index 8a166d702..747c8a4eb 100644 --- a/src/docs/getting-started/container-insights/eks-prometheus.mdx +++ b/src/docs/getting-started/container-insights/eks-prometheus.mdx @@ -17,19 +17,32 @@ This section explains how to set up Prometheus monitoring with the ADOT Collecto To deploy these sample workloads, please follow the above links for guidance. -## Set Up IAM Policy -To use the ADOT Collector to collect Prometheus metrics, make sure the following policies are attached to your node instance role. - -```bash -AmazonEKSWorkerNodePolicy -AmazonEKS_CNI_Policy -AmazonEC2ContainerRegistryReadOnly -CloudWatchAgentServerPolicy -AmazonSSMManagedInstanceCore -AWSXrayWriteOnlyAccess -AWSXRayDaemonWriteAccess -AmazonS3ReadOnlyAccess -AmazonPrometheusFullAccess +### Use your IAM role to launch the ADOT Collector +You can associate your IAM role to your EKS service account using [IRSA](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html). Your service account can then provide AWS permissions to the containers you run in any pod that use that service account. You must use this command for each cluster where you're installing ADOT to grant your AWS service account permissions. +Follow these steps to associate your IAM role to your EKS service account using IRSA: + +1. Create an IAM OIDC provider for your cluster by following the steps in the link below: + * [Create an IAM OIDC provider for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) +2. Create your service account and IAM role. In this command, you must have values for the following flags: + * For the `--name` flag, add the name of the service account you want to create; for this example we will name it `adot-collector`. + * For the `--namespace` flag, use the namespace your service account will reside in; for our example we will use the default namespace. + * For the `--cluster` flag, use the name of your cluster. + * The three `--attach-policy-arn` values are the policies to be attached. These three policies are the policies needed for each service we want to export to. If you only plan on using 1 or 2 of the services, you only need to attach the policies for that service: + * `arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess` grants write access to the Prometheus service. + * `arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess` grants write access to the AWS X-Ray service. + * `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` grants access to write the CloudWatch service. + * The `--override-existing-serviceaccounts` flag is for if you have a service account already created in the cluster without an IAM Role. You can exclude this if that is not the case. + +```console +eksctl create iamserviceaccount \ + --name adot-collector \ + --namespace default \ + --cluster \ + --attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \ + --attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \ + --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \ + --approve \ + --override-existing-serviceaccounts ``` ## Deploy the ADOT Collector with default configuration