When booting an EKS cluster with Vault enabled, fields under
Vault.aws in the
jx-requirements-eks.yml file are required to enable its
Vault does not currently support Identity Access Management (IAM) Roles for Service Accounts, so you will be prompted to provide a preconfigured IAM User.
jx-requirements-eks.yml file contains the following settings for EKS Vault
vault: aws: autoCreate: true iamUserName: <username>
For Vault support on EKS clusters, you must provide an existing IAM username
iamUserName setting to use its Access Keys to authenticate the Vault
pod against AWS.
The IAM user does not need any permissions attached to it. During the installation process, CloudBees Jenkins X Distribution creates a new IAM Policy and attaches it to this user. These will essentially be the permissions that the Vault pod will use.
|A new set of Access Keys are created during Vault creation. There is a limit of 2 key pairs per IAM user, so ensure that there is at least one key slot free on the IAM user that you are providing. Otherwise, Vault configuration will fail. If you do not want CloudBees Jenkins X Distribution to create these keys, you can provide a key pair that you already created through environment variables: VAULT_AWS_ACCESS_KEY_ID and VAULT_AWS_SECRET_ACCESS_KEY.|
In the install-vault step, the
jx boot process runs a CloudFormation stack
in order to create every resource needed by Vault to work.
You can find the CloudFormation stack template here.
If you want to provide existing resources and settings instead of letting CloudBees Jenkins X Distribution
create them, you need to set
You must provide the names of the existing resources in the jx-requirements-eks.yml file:
vault: aws: autoCreate: false iamUserName: acmeuser dynamoDBTable: "" dynamoDBRegion: "" kmsKeyId: "" kmsRegion: "" s3Bucket: "" s3Region: "" s3Prefix: ""
Note: A pair of Access Keys will be created even if you set autoCreate
to false. To prevent this, you can set an existing pair through