* add brief instructions to AWS IAM Terraform script * Update README.md
IAM instance profiles for AWS
This terraform script creates the necessary profiles that need to be attached to Constellation nodes.
You can create the profiles with the following commands:
mkdir constellation_aws_iam
cd constellation_aws_iam
curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/aws/iam/{main,output,variables}.tf
terraform init
terraform apply -auto-approve -var name_prefix=my_constellation
You can either get the profile names from the Terraform output values control_plane_instance_profile
and worker_nodes_instance_profile
and manually add them to your Constellation configuration file.
Or you can do this with a yq
yq -i "
.provider.aws.iamProfileControlPlane = $(terraform output control_plane_instance_profile) |
.provider.aws.iamProfileWorkerNodes = $(terraform output worker_nodes_instance_profile)
" path/to/constellation-conf.yaml
iamlive dynamically determines the minimal permissions to call a set of AWS API calls.
It uses a local proxy to intercept API calls and incrementally generate the AWS policy.
In one session start iamlive
iamlive -mode proxy -bind-addr -force-wildcard-resource -output-file iamlive.policy.json
In another session execute terraform:
terraform init
HTTP_PROXY= HTTPS_PROXY= AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY= HTTPS_PROXY= AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}
will present the generated policy, and after <CTRL-C> the iamlive
process it will also write it to the specified file.