Auth
Client
The Cortex CLI and Python client use the default credential provider chain to get credentials for cluster and api management. Credentials will be read in the following order of precedence:
- environment variables
- the name of the profile specified by
AWS_PROFILEenvironment variable defaultprofile from~/.aws/credentials
Cluster management
It is recommended that your AWS credentials have AdministratorAccess when running
cortex cluster * commands. If you are unable to use AdministratorAccess, see the minimum IAM policy below for the minimum permissions required to run cortex cluster * commands.After spinning up a cluster using
cortex cluster up, the IAM user or role that created the cluster is automatically granted system:masters permission to the cluster's RBAC. Make sure to keep track of which IAM entity originally created the cluster.Running cortex cluster commands from different IAM users
cortex cluster commands from different IAM usersBy default, the
cortex cluster * commands can only be executed by the IAM user who created the cluster. To grant access to additional IAM users, follow these steps:- 1.
- 2.Determine the ARN of the IAM user that you would like to grant access to. You can get the ARN via the IAM dashboard, or by running
aws iam get-useron a machine that is authenticated as the IAM user (orAWS_ACCESS_KEY_ID=*** AWS_SECRET_ACCESS_KEY=*** aws iam get-useron any machine, using the credentials of the IAM user). The ARN should look similar toarn:aws:iam::764403040417:user/my-username. - 3.Set the following environment variables:1CREATOR_AWS_ACCESS_KEY_ID=*** # access key ID for the IAM user that created the cluster2CREATOR_AWS_SECRET_ACCESS_KEY=*** # secret access key for the IAM user that created the cluster3NEW_USER_ARN=*** # ARN of the IAM user to grant access to4CLUSTER_NAME=*** # the name of your cortex cluster (will be "cortex" unless you specified a different name in your cluster configuration file)5CLUSTER_REGION=*** # the region of your cortex clusterCopied!
- 4.Run the following command:1AWS_ACCESS_KEY_ID=$CREATOR_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$CREATOR_AWS_SECRET_ACCESS_KEY eksctl create iamidentitymapping --region $CLUSTER_REGION --cluster $CLUSTER_NAME --arn $NEW_USER_ARN --group system:masters --username $NEW_USER_ARNCopied!
- 5.To revoke access in the future, run:1AWS_ACCESS_KEY_ID=$CREATOR_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$CREATOR_AWS_SECRET_ACCESS_KEY eksctl delete iamidentitymapping --region $CLUSTER_REGION --cluster $CLUSTER_NAME --arn $NEW_USER_ARN --allCopied!
API management
The Cortex CLI and Python client rely on AWS IAM to authenticate requests to a cluster on AWS (e.g.
cortex deploy, cortex get). AWS credentials required to authenticate Cortex client requests to the operator don't require any specific permissions; they must only be valid credentials within the same AWS account as the Cortex cluster. However, managing the cluster (i.e. running cortex cluster * commands) does require permissions.Authorizing your APIs
When spinning up a cortex cluster, you can provide additional policies to authorize your APIs to access AWS resources by creating a policy and adding it to the
iam_policy_arns list in your cluster configuration file.If you already have a cluster running and would like to add additional permissions, you can update the policy that is created automatically during
cortex cluster up. In the IAM console, search for cortex-<cluster_name>-<region> to find the policy that has been attached to your cluster. Adding more permissions to this policy will automatically give more access to all of your Cortex APIs.NOTE: The policy created during
cortex cluster up will automatically be deleted during cortex cluster down. It is recommended to create your own policies that can be specified in iam_policy_arns field in cluster configuration. The precreated policy should only be updated for development and testing purposes.Minimum IAM Policy
The policy shown below contains the minimum permissions required to manage a Cortex cluster (i.e. via
cortex cluster * commands).Replace the following placeholders with their respective values in the policy template below:
$CORTEX_CLUSTER_NAME, $CORTEX_ACCOUNT_ID, $CORTEX_REGION.1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Effect": "Allow",
6
"Action": "iam:CreateServiceLinkedRole",
7
"Resource": "*",
8
"Condition": {
9
"StringEquals": {
10
"iam:AWSServiceName": [
11
"autoscaling.amazonaws.com",
12
"ec2scheduled.amazonaws.com",
13
"elasticloadbalancing.amazonaws.com",
14
"spot.amazonaws.com",
15
"spotfleet.amazonaws.com",
16
"transitgateway.amazonaws.com"
17
]
18
}
19
}
20
},
21
{
22
"Effect": "Allow",
23
"Action": "iam:CreateServiceLinkedRole",
24
"Resource": "*",
25
"Condition": {
26
"StringEquals": {
27
"iam:AWSServiceName": [
28
"eks.amazonaws.com",
29
"eks-nodegroup.amazonaws.com",
30
"eks-fargate.amazonaws.com"
31
]
32
}
33
}
34
},
35
{
36
"Effect": "Allow",
37
"Action": [
38
"logs:ListTagsLogGroup",
39
"iam:GetRole",
40
"logs:TagLogGroup",
41
"ssm:GetParameters",
42
"ssm:GetParameter",
43
"logs:CreateLogGroup"
44
],
45
"Resource": [
46
"arn:*:ssm:*:$CORTEX_ACCOUNT_ID:parameter/aws/*",
47
"arn:*:ssm:*::parameter/aws/*",
48
"arn:*:logs:$CORTEX_REGION:$CORTEX_ACCOUNT_ID:log-group:$CORTEX_CLUSTER_NAME",
49
"arn:*:iam::$CORTEX_ACCOUNT_ID:role/*"
50
]
51
},
52
{
53
"Effect": "Allow",
54
"Action": [
55
"iam:CreateInstanceProfile",
56
"logs:ListTagsLogGroup",
57
"logs:DescribeLogStreams",
58
"iam:TagRole",
59
"iam:RemoveRoleFromInstanceProfile",
60
"iam:CreateRole",
61
"iam:AttachRolePolicy",
62
"iam:PutRolePolicy",
63
"iam:AddRoleToInstanceProfile",
64
"iam:ListInstanceProfilesForRole",
65
"iam:PassRole",
66
"logs:CreateLogStream",
67
"iam:DetachRolePolicy",
68
"logs:TagLogGroup",
69
"iam:ListAttachedRolePolicies",
70
"iam:DeleteRolePolicy",
71
"iam:DeleteOpenIDConnectProvider",
72
"iam:DeleteInstanceProfile",
73
"iam:GetRole",
74
"iam:GetInstanceProfile",
75
"iam:DeleteRole",
76
"iam:ListInstanceProfiles",
77
"logs:CreateLogGroup",
78
"logs:PutLogEvents",
79
"logs:DeleteLogGroup",
80
"iam:CreateOpenIDConnectProvider",
81
"iam:GetOpenIDConnectProvider",
82
"iam:GetRolePolicy"
83
],
84
"Resource": [
85
"arn:*:iam::$CORTEX_ACCOUNT_ID:instance-profile/eksctl-*",
86
"arn:*:iam::$CORTEX_ACCOUNT_ID:role/eksctl-*",
87
"arn:*:iam::$CORTEX_ACCOUNT_ID:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
88
"arn:*:iam::$CORTEX_ACCOUNT_ID:role/eksctl-managed-*",
89
"arn:*:iam::$CORTEX_ACCOUNT_ID:oidc-provider/*",
90
"arn:*:logs:$CORTEX_REGION:$CORTEX_ACCOUNT_ID:log-group:$CORTEX_CLUSTER_NAME:*"
91
]
92
},
93
{
94
"Effect": "Allow",
95
"Action": [
96
"iam:CreatePolicy",
97
"iam:GetPolicyVersion",
98
"iam:ListPolicyVersions",
99
"iam:DeletePolicy",
100
"iam:CreatePolicyVersion",
101
"iam:DeletePolicyVersion"
102
],
103
"Resource": "arn:*:iam::$CORTEX_ACCOUNT_ID:policy/cortex-*"
104
},
105
{
106
"Effect": "Allow",
107
"Action": [
108
"sqs:ListQueues",
109
"iam:GetPolicy",
110
"ecr:GetAuthorizationToken",
111
"cloudformation:*",
112
"elasticloadbalancing:*",
113
"autoscaling:*",
114
"cloudwatch:*",
115
"ecr:BatchGetImage",
116
"kms:DescribeKey",
117
"ec2:*",
118
"sts:GetCallerIdentity",
119
"eks:*",
120
"kms:CreateGrant",
121
"acm:DescribeCertificate",
122
"servicequotas:ListServiceQuotas"
123
],
124
"Resource": "*"
125
},
126
{
127
"Effect": "Allow",
128
"Action": "sqs:*",
129
"Resource": "arn:*:sqs:$CORTEX_REGION:$CORTEX_ACCOUNT_ID:cx-*"
130
},
131
{
132
"Effect": "Allow",
133
"Action": "s3:*",
134
"Resource": "arn:*:s3:::$CORTEX_CLUSTER_NAME*"
135
},
136
{
137
"Effect": "Allow",
138
"Action": "s3:*",
139
"Resource": "arn:*:s3:::$CORTEX_CLUSTER_NAME*/*"
140
}
141
]
142
}
Copied!
Last modified 5mo ago