Issue granting pods access to dynamodb for aws ha helm installation

[ShaneGCareCru]

In the document: https://goteleport.com/docs/kubernetes-access/helm/guides/aws/

The note mentions: "These IAM policies should be added to your AWS account, then granted to the instance role associated with the EKS nodegroups which are running your Kubernetes nodes."

However, the instance role associated with the EKS nodegroups is a read only one. As noted in the aws documentation here: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks-nodegroups.html

Further documentation is needed to explain how the association needs to take place.

Is a service account needed or used? Using annotations I was able to associate the helm created sa with a role with the policies described in the document but the pod is stuck at:

"2022-06-04T16:00:50Z INFO [DYNAMODB] Initializing backend. Table: "teleport-helm-backend", poll streams every 0s. dynamo/dynamodbbk.go:206"

So that doesn't seem to be used.

Better documentation around exactly how to attach the policies to the appropriate resources is needed.

• Improve Existing

[webvictim]

You might be able to use an IAM annotation on the teleport-cluster chart's service account to achieve this:

annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/iam-role-name

In general the idea in the docs is that you create a policy with the documented JSON inside it, then attach this policy to the role on the nodegroup. My testing here was done with eksctl and I was able to add an additional policy to the nodegroup's role - but it's possible that AWS sets it up differently now.

[ptgott]

Here is the text in question on the current docs site: https://github.com/gravitational/teleport/blob/802803925951b7c541e9bf38e9feab39eaf4520a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx#L48-L50

We may want to add some clarification here.