Allow AWS Marketplace to access the cluster
For Deeploy AWS Marketplace customers, it is important to allow the AWS Marketplace to register the usage of the purchased container images. However, this integration is not well explained in the AWS documentation. To help with this, this article explains the integration process in detail. Please note that the article assumes you have already created an EKS cluster and have access to it.
During the creation of the EKS cluster you attached a NodeInstanceRole (IAM role)
to the cluster. You can use this IAM role in this section or create a dedicated new role.
1. Attach policies
Attach policies to the role required by the AWS Marketplace.
AWS Managed Policies:
- AWSMarketplaceMeteringRegisterUsage
2. IAM OIDC provider
Create an IAM OIDC provider for the EKS cluster. For this step, use the Enable IAM roles for service accounts docs.
Make sure to check if the OpenID Connect Provider URL matches with your Cluster (details in EKS configuration)
aws iam list-open-id-connect-providers | grep <EXAMPLED539D4633E53DE1B716D3041E>
3. Create trusted entity
Create a Trusted Entity for the NodeInstance Role. For this step, use the Technical overview of IAM roles for service accounts docs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"<OIDC_PROVIDER>:sub": "system:serviceaccount:deeploy:*"
}
}
}
]
}
4. NodeInstance role
Allow pods to assume the NodeInstance Role. Add the following annotation to the default
and kserve-deploy
Kubernetes Service Accounts in the Deeploy namespace:
<arn:aws:iam::111122223333:role/my-aws-deeploy-metering-role>
As described in the AWS docs.
Please make sure to check whether the ENV variables are present in the AWS managed pods.