From 9038743fb8ae0fe1076d8bfec7df5251850fde9f Mon Sep 17 00:00:00 2001 From: windmgc Date: Fri, 21 Jul 2023 16:12:02 +0800 Subject: [PATCH 1/2] chore(*): add more explanation when using EKS IRSA to access RDS database --- .../gateway/kong-enterprise/aws-iam-auth-to-rds-database.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md b/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md index 47aa91174350..c12144b3fa5c 100644 --- a/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md +++ b/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md @@ -27,7 +27,7 @@ Before you enable the AWS IAM authentication, you must configure your AWS RDS da - **Assign an IAM role to your Kong Gateway instance.** {{site.base_gateway}} can automatically discover and fetch the AWS credentials to use for the IAM role. - If you use an EC2 environment, use the [EC2 IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html). - If you use an ECS cluster, use a [ECS task IAM role](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html). - - If you use an EKS cluster, configure a Kubernetes service account that can annotate your assigned role and configure the pods to use an [IAM role defined by serviceaccount](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html). + - If you use an EKS cluster, configure a Kubernetes service account that can annotate your assigned role and configure the pods to use an [IAM role defined by serviceaccount](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html). Using an IAM role defined by serviceaccount requires a request to the AWS STS service, so you also need to make sure that your Kong inside the Pod can access AWS STS service endpoint without problem. (If you're using STS regional endpoints, please make sure you have `AWS_STS_REGIONAL_ENDPOINTS` defined in your environment variables.) - If you run {{site.base_gateway}} locally, use the environment variables, like access key and secret key combination by using `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, or profile and credential file combination by using `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE` {:.warning} @@ -85,4 +85,4 @@ pg_ro_iam_auth=on ``` {:.note} -> **Note:** If you enable AWS IAM authentication in the configuration file, you must specify the configuration file with the feature property on when you run the migrations command. For example, `kong migrations bootstrap -c /path/to/kong.conf`. \ No newline at end of file +> **Note:** If you enable AWS IAM authentication in the configuration file, you must specify the configuration file with the feature property on when you run the migrations command. For example, `kong migrations bootstrap -c /path/to/kong.conf`. From 53144b1e1b48641e723c27119184bf6c27df4ed4 Mon Sep 17 00:00:00 2001 From: "Qirui(Keery) Nie" Date: Sat, 22 Jul 2023 23:57:48 +0800 Subject: [PATCH 2/2] Update app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- .../gateway/kong-enterprise/aws-iam-auth-to-rds-database.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md b/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md index c12144b3fa5c..65f0b0835b33 100644 --- a/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md +++ b/app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md @@ -27,7 +27,11 @@ Before you enable the AWS IAM authentication, you must configure your AWS RDS da - **Assign an IAM role to your Kong Gateway instance.** {{site.base_gateway}} can automatically discover and fetch the AWS credentials to use for the IAM role. - If you use an EC2 environment, use the [EC2 IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html). - If you use an ECS cluster, use a [ECS task IAM role](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html). - - If you use an EKS cluster, configure a Kubernetes service account that can annotate your assigned role and configure the pods to use an [IAM role defined by serviceaccount](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html). Using an IAM role defined by serviceaccount requires a request to the AWS STS service, so you also need to make sure that your Kong inside the Pod can access AWS STS service endpoint without problem. (If you're using STS regional endpoints, please make sure you have `AWS_STS_REGIONAL_ENDPOINTS` defined in your environment variables.) + - If you use an EKS cluster, configure a Kubernetes service account that can annotate your assigned role and configure the pods to use an [IAM role defined by serviceaccount](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html). + + Using an IAM role defined by serviceaccount requires a request to the AWS STS service, so you also need to make sure that your Kong instance inside the Pod can access the AWS STS service endpoint. + + If you're using STS regional endpoints, make sure you have `AWS_STS_REGIONAL_ENDPOINTS` defined in your environment variables. - If you run {{site.base_gateway}} locally, use the environment variables, like access key and secret key combination by using `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, or profile and credential file combination by using `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE` {:.warning}