docs: etcd backup/restore IAM roles

[philips]

Users will want to scope credentials down for backup/restore to only the rights that are required. We need to document that scope for users and add it to the backup and restore docs.

Example docs

• https://docs.databricks.com/user-guide/cloud-configurations/aws/iam-roles.html
• https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

[Deshke]

from https://github.com/coreos/etcd-operator/issues/1729

kubernetes already defines ec2 iam roles, adding a new rule to the set is easy and does not require any other configuration. the etcd-backup-operator should use these

apiVersion: "etcd.database.coreos.com/v1beta2"
kind: "EtcdBackup"
metadata:
  name: example-etcd-cluster-backup
spec:
  clusterName: etcd-cluster
  storageType: S3
  s3:
    s3Bucket: arn:aws:s3:::my.bucket

[hongchaodeng]

@Deshke Even if IAM role is used, it still needs to provide configuration data like "region". Right?

[Deshke]

@hongchaodeng not if the s3bucket is a arn

[hongchaodeng]

I'm new to the aws-sdk-go, and thus a little confused in implementation details.

Currently, we need to set those config files when creating a s3 client. Even if using IAM role, some configs are still missing. How can I create a s3 client with just using the s3 ARN?

[Deshke]

• https://docs.aws.amazon.com/sdk-for-go/api/service/s3/
  • no need to define a specific region
• iam -> https://github.com/aws/aws-sdk-go#configuring-credentials

[hongchaodeng]

Discussed with Brandon. This issue is more about providing a docs around how to setup IAM roles and permissions.

[sermilrod]

Is there any place where I can find those docs? Relying on the EC2 instance profile is something I cannot do as the worker nodes have more permissions than etcd backup/restore need. In addition I am using Kube2IAM to secure what roles a container can assume and ideally I want to have a role for this that I can proxy.

[raoofm]

+1 for using kiam/kube2iam