The Wombelix Post - AWShttps://dominik.wombacher.cc/2023-10-05T00:00:00+02:00SUSECON 2023 recordings public available on YouTube2023-10-05T00:00:00+02:002023-10-05T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2023-10-05:/posts/susecon-2023-recordings-public-available-on-youtube.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Since <a class="reference external" href="https://dominik.wombacher.cc/posts/my-sessions-from-susecon-digital-23-are-online.html">July</a> the
SUSECON 23 session recordings were available on-demand but required a registration. They now became public
available on <a class="reference external" href="https://youtube.com/playlist?list=PLX2Uwm1Un8aZr7KcAUlwnHqfYx2JE7Ql_&feature=shared">YouTube</a>!</p>
<p>I talked about
<a class="reference external" href="https://youtu.be/CG7jb92ZZSA?feature=shared">Rancher integration with AWS services, possibilities ... </a><a class="read-more" href="/posts/susecon-2023-recordings-public-available-on-youtube.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Since <a class="reference external" href="https://dominik.wombacher.cc/posts/my-sessions-from-susecon-digital-23-are-online.html">July</a> the
SUSECON 23 session recordings were available on-demand but required a registration. They now became public
available on <a class="reference external" href="https://youtube.com/playlist?list=PLX2Uwm1Un8aZr7KcAUlwnHqfYx2JE7Ql_&feature=shared">YouTube</a>!</p>
<p>I talked about
<a class="reference external" href="https://youtu.be/CG7jb92ZZSA?feature=shared">Rancher integration with AWS services, possibilities, challenges and outlook (PROD 1178)</a>
and
<a class="reference external" href="https://youtu.be/6x64B7K1VFE?feature=shared">SUSE ALP prototype on AWS, Experimental, but fun (TUT 1179)</a>.</p>
<p>The sessions from my peers at AWS I want to highlight are
<a class="reference external" href="https://youtu.be/4fTbakJM_dk?feature=shared">SUSE Maintenance Operations on AWS Demystified (TUT 1137)</a>
and
<a class="reference external" href="https://youtu.be/szXBCuyZLn4?feature=shared">How SUSE and AWS partner to drive customer success (TBO 1042)</a>.</p>
<p>I'm looking forward to next years SUSECON and hope I have the opportunity to speak again about SUSE on AWS.</p>
Rancher on AWS, Logging to CloudWatch with IRSA for Authentication2023-07-05T00:00:00+02:002023-07-12T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2023-07-05:/posts/rancher-on-aws-logging-to-cloudwatch-with-irsa-for-authentication.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>This is the third Article of the Series <strong>Integrate Rancher with AWS services</strong>,
I'm focusing on Logging to CloudWatch from Rancher by using IAM Roles for Service Accounts (IRSA)
to ... <a class="read-more" href="/posts/rancher-on-aws-logging-to-cloudwatch-with-irsa-for-authentication.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>This is the third Article of the Series <strong>Integrate Rancher with AWS services</strong>,
I'm focusing on Logging to CloudWatch from Rancher by using IAM Roles for Service Accounts (IRSA)
to authenticate to avoid long-term credentials.</p>
<p><strong>Update</strong>: The recording of my talk
<a class="reference external" href="https://events.opensuse.org/conferences/oSC23/program/proposals/4169">Rancher integration with AWS services: possibilities, challenges, outlook</a>
(abstract and slide-deck) at <a class="reference external" href="https://events.opensuse.org/conferences/oSC23">openSUSE Conference 23</a> is online and covers parts of this article as well.</p>
<ul class="simple">
<li><a class="reference external" href="https://media.ccc.de/v/4169-rancher-integration-with-aws-services-possibilities-challenges-outlook">media.ccc.de</a>
(includes options to download video and audio)</li>
<li><a class="reference external" href="https://youtu.be/khIg5MT4WGs">youtube.com</a></li>
</ul>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#terminology" id="toc-entry-1">Terminology</a></li>
<li><a class="reference internal" href="#rancher-logging" id="toc-entry-2">Rancher Logging</a><ul>
<li><a class="reference internal" href="#overview" id="toc-entry-3">Overview</a></li>
<li><a class="reference internal" href="#iam-policy" id="toc-entry-4">IAM Policy</a></li>
<li><a class="reference internal" href="#irsa-configuration" id="toc-entry-5">IRSA Configuration</a></li>
<li><a class="reference internal" href="#clusteroutput" id="toc-entry-6">ClusterOutput</a></li>
</ul>
</li>
<li><a class="reference internal" href="#conclusion" id="toc-entry-7">Conclusion</a></li>
</ul>
</div>
<div class="section" id="terminology">
<h2><a class="toc-backref" href="#toc-entry-1">Terminology</a></h2>
<p>I assume you have a basic level of understanding about <em>Kubernetes objects</em> and <em>annotations</em> as well as
<em>Helm charts</em>, <em>repositories</em>, <em>releases</em>. If you want to brush up your knowledge,
links to resources about those topics are part of the second article of this series:
<a class="reference external" href="https://dominik.wombacher.cc/posts/rancher-on-aws-backup-to-s3-with-irsa-for-authentication.html">Rancher on AWS, Backup to S3 with IRSA for Authentication</a></p>
<p>To learn more about AWS IAM Roles and IRSA, I recommend to checkout the first Article of this series:
<a class="reference external" href="https://dominik.wombacher.cc/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html">What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</a></p>
</div>
<div class="section" id="rancher-logging">
<h2><a class="toc-backref" href="#toc-entry-2">Rancher Logging</a></h2>
<div class="section" id="overview">
<h3><a class="toc-backref" href="#toc-entry-3">Overview</a></h3>
<p>Rancher provides the <a class="reference external" href="https://github.com/rancher/charts">rancher-logging</a> Helm chart,
which is based on the <a class="reference external" href="https://github.com/kube-logging/logging-operator">kube-logging operator</a>,
it's using <a class="reference external" href="https://fluentbit.io">Fluent Bit</a>
to collect and <a class="reference external" href="https://www.fluentd.org">Fluentd</a>
to forward the logs. One of the supported targets is
<a class="reference external" href="https://aws.amazon.com/cloudwatch/">Amazon CloudWatch</a>.</p>
<p>With <a class="reference external" href="https://ranchermanager.docs.rancher.com/integrations-in-rancher/logging/logging-helm-chart-options#additional-logging-sources">enhanced cloud provider logging</a>,
logs from Amazon EKS will be collected and pushed to CloudWatch as well.</p>
<p>IRSA is technically supported but the necessary <em>serviceAccount annotation</em>
need to be added after the installation in a separate step.</p>
<p>The official documentation about
<a class="reference external" href="https://ranchermanager.docs.rancher.com/pages-for-subheaders/logging">Rancher Integration with Logging Services</a>
provides further information about the functionality and general installation.</p>
</div>
<div class="section" id="iam-policy">
<h3><a class="toc-backref" href="#toc-entry-4">IAM Policy</a></h3>
<p>You need a IAM Policy to create later the IAM Role linked to a Kubernetes service account.
An example how such a policy could look like to push logs to CloudWatch, based on the
<a class="reference external" href="https://github.com/fluent-plugins-nursery/fluent-plugin-cloudwatch-logs#preparation">out_cloudwatch_logs</a> example:</p>
<pre class="code json literal-block">
<span class="pygments-p">{</span><span class="pygments-w">
</span><span class="pygments-nt">"Version"</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s2">"2012-10-17"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-nt">"Statement"</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p">[</span><span class="pygments-w">
</span><span class="pygments-p">{</span><span class="pygments-w">
</span><span class="pygments-nt">"Action"</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p">[</span><span class="pygments-w">
</span><span class="pygments-s2">"logs:PutLogEvents"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-s2">"logs:CreateLogGroup"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-s2">"logs:PutRetentionPolicy"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-s2">"logs:CreateLogStream"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-s2">"logs:DescribeLogGroups"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-s2">"logs:DescribeLogStreams"</span><span class="pygments-w">
</span><span class="pygments-p">],</span><span class="pygments-w">
</span><span class="pygments-nt">"Effect"</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s2">"Allow"</span><span class="pygments-p">,</span><span class="pygments-w">
</span><span class="pygments-nt">"Resource"</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s2">"*"</span><span class="pygments-w">
</span><span class="pygments-p">}</span><span class="pygments-w">
</span><span class="pygments-p">]</span><span class="pygments-w">
</span><span class="pygments-p">}</span><span class="pygments-w">
</span>
</pre>
</div>
<div class="section" id="irsa-configuration">
<h3><a class="toc-backref" href="#toc-entry-5">IRSA Configuration</a></h3>
<p>The <em>kube-logging</em> operator already supports IRSA but it can't be configured as part of the Helm installation
with the <em>rancher-logging</em> Helm chart yet. The annotation need to be added afterwards to the Logging Resources,
this is different compared to
<a class="reference external" href="https://dominik.wombacher.cc/posts/rancher-on-aws-backup-to-s3-with-irsa-for-authentication.html">Rancher Backup</a>,
where this is possible directly as part of the installation.</p>
<p>I created a <a class="reference external" href="https://github.com/rancher/charts/pull/2646">GitHub Pull Request</a> to include the
<em>serviceAccount</em> annotation in the Helm chart.</p>
<p>In the meantime, you have to edit the Logging Resources <code>rancher-logging-root</code> and
(if Rancher is running on Amazon EKS with enabled enhanced cloud logging)
<code>rancher-logging-eks</code> in namespace <code>cattle-logging-system</code> manually.</p>
<p>The configuration is not covered in the official Rancher Documentation yet.
Six lines need to be added per Logging Resource, each with it's own <code>role-arn</code>:</p>
<pre class="code yaml literal-block">
<span class="pygments-nt">spec</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">fluentd</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">serviceAccount</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">metadata</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">annotations</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">eks.amazonaws.com/role-arn</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">arn:aws:iam::1234567890:role/my-rancher-logging-role</span><span class="pygments-w">
</span>
</pre>
<p>Besides the <em>serviceAccount annotation</em>, the initial IRSA setup for the cluster and the creation
of the IAM Role, with a link to the service account, used by the <em>kube-logging</em> operator, is required.</p>
<p>The names of the service accounts <em>rancher-logging</em> will create are <code>rancher-logging-root-fluentd</code>
and (in case of EKS and enhanced logging) <code>rancher-logging-root-fluentd</code>, also in
namespace <code>cattle-logging-system</code>. You have to create a IAM Role and link it to those
accounts by using <code>eksctl</code> as shown in the first article
<a class="reference external" href="https://dominik.wombacher.cc/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html">What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</a>.</p>
</div>
<div class="section" id="clusteroutput">
<h3><a class="toc-backref" href="#toc-entry-6">ClusterOutput</a></h3>
<p>To push logs to the actual target, Fluentd is using so called <em>Outputs</em>. There are two types,
<strong>Output</strong> (namespace) and <strong>ClusterOutput</strong> (cluster-wide), <a class="reference external" href="https://kube-logging.dev/docs/configuration/output/">further reading</a>.</p>
<p>Following an example how a basic <em>ClusterOutput</em> could look like, I named it <code>testcloudwatchoutput</code>
and it will push all available logs to the group <code>rancher-demo-cluster-log-group</code> and stream
<code>rancher-demo-cluster-log-stream</code> in Amazon CloudWatch of AWS Region <code>us-east-1</code>.</p>
<pre class="code yaml literal-block">
<span class="pygments-nt">apiVersion</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">logging.banzaicloud.io/v1beta1</span><span class="pygments-w">
</span><span class="pygments-nt">kind</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">ClusterOutput</span><span class="pygments-w">
</span><span class="pygments-nt">metadata</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">creationTimestamp</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">'2023-05-17T14:03:16Z'</span><span class="pygments-w">
</span><span class="pygments-nt">generation</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">4</span><span class="pygments-w">
</span><span class="pygments-nt">managedFields</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">apiVersion</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">logging.banzaicloud.io/v1beta1</span><span class="pygments-w">
</span><span class="pygments-nt">fieldsType</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">FieldsV1</span><span class="pygments-w">
</span><span class="pygments-nt">fieldsV1</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">f:status</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">.</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">f:active</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">manager</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">manager</span><span class="pygments-w">
</span><span class="pygments-nt">operation</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">Update</span><span class="pygments-w">
</span><span class="pygments-nt">subresource</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">status</span><span class="pygments-w">
</span><span class="pygments-nt">time</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">'2023-05-17T14:03:16Z'</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">apiVersion</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">logging.banzaicloud.io/v1beta1</span><span class="pygments-w">
</span><span class="pygments-nt">fieldsType</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">FieldsV1</span><span class="pygments-w">
</span><span class="pygments-nt">fieldsV1</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">f:spec</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">.</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">f:cloudwatch</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">.</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">f:auto_create_stream</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">f:log_group_name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">f:log_stream_name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">f:region</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-p-Indicator">{}</span><span class="pygments-w">
</span><span class="pygments-nt">manager</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">rancher</span><span class="pygments-w">
</span><span class="pygments-nt">operation</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">Update</span><span class="pygments-w">
</span><span class="pygments-nt">time</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">'2023-05-18T10:14:12Z'</span><span class="pygments-w">
</span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">testcloudwatchout</span><span class="pygments-w">
</span><span class="pygments-nt">namespace</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">cattle-logging-system</span><span class="pygments-w">
</span><span class="pygments-nt">resourceVersion</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">'16031275'</span><span class="pygments-w">
</span><span class="pygments-nt">uid</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">a4bd1852-eca8-487b-bdc8-47d9966e6da2</span><span class="pygments-w">
</span><span class="pygments-nt">spec</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">cloudwatch</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">auto_create_stream</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">true</span><span class="pygments-w">
</span><span class="pygments-nt">log_group_name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">rancher-demo-cluster-log-group</span><span class="pygments-w">
</span><span class="pygments-nt">log_stream_name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">rancher-demo-cluster-log-stream</span><span class="pygments-w">
</span><span class="pygments-nt">region</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">us-east-1</span><span class="pygments-w">
</span><span class="pygments-nt">status</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">active</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">true</span><span class="pygments-w">
</span>
</pre>
</div>
</div>
<div class="section" id="conclusion">
<h2><a class="toc-backref" href="#toc-entry-7">Conclusion</a></h2>
<p>Logging is a complex field and very dependent on the individual requirements and use-case.
I recommend to invest some time to learn about <em>kube-logging</em>, to write down the goals you
want to achieve with your log setup and work backwards from there to perform the actual configuration.</p>
<p>This is way beyond the scope of this Article, my main intention was to show how to bring IRSA into the mix.</p>
<p>Compared to Rancher Backup, it's a little more effort to get IRSA working, mainly because of the
missing support in the Helm chart, but it's worth it and not too complicated.</p>
<p>I hope my contribution to the <em>rancher-logging</em> Helm chart will help to improve the user experience.
As soon a pull request that allows the <em>serviceAccount</em> annotation, was merged, I plan to also submit
a PR to get the Rancher Documentation updated accordingly. Configuring such a feature, based on security
best practices, should be as easy as possible to achieve broad adoption :)</p>
<p>In the next article of this series, I take a break from IRSA and will talk about login to Rancher via SAML Authentication
by using <a class="reference external" href="https://aws.amazon.com/iam/identity-center/">AWS IAM Identity Center</a> as SAML identity provider.</p>
<hr class="docutils" />
<p>Article series <strong>Integrate Rancher with AWS services</strong>:</p>
<ol class="arabic simple">
<li><a class="reference external" href="https://dominik.wombacher.cc/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html">What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</a></li>
<li><a class="reference external" href="https://dominik.wombacher.cc/posts/rancher-on-aws-backup-to-s3-with-irsa-for-authentication.html">Rancher on AWS, Backup to S3 with IRSA for Authentication</a></li>
<li><strong>Rancher on AWS, Logging to CloudWatch with IRSA for Authentication</strong></li>
<li>Rancher on AWS, SAML Authentication with AWS IAM Identity Center as SAML IdP (coming soon)</li>
<li>Rancher on AWS, GitOps with Fleet and AWS CodeCommit (coming soon)</li>
</ol>
</div>
Rancher on AWS, Backup to S3 with IRSA for Authentication2023-07-04T00:00:00+02:002023-07-12T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2023-07-04:/posts/rancher-on-aws-backup-to-s3-with-irsa-for-authentication.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>This is the second Article of the Series <strong>Integrate Rancher with AWS services</strong>,
I'm going to demonstrate how to perform backups from Rancher to S3 by using IAM
Roles for ... <a class="read-more" href="/posts/rancher-on-aws-backup-to-s3-with-irsa-for-authentication.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>This is the second Article of the Series <strong>Integrate Rancher with AWS services</strong>,
I'm going to demonstrate how to perform backups from Rancher to S3 by using IAM
Roles for Service Accounts (IRSA) instead of EC2 Instance IAM Roles or AWS access keys.</p>
<p><strong>Update</strong>: The recording of my talk
<a class="reference external" href="https://events.opensuse.org/conferences/oSC23/program/proposals/4169">Rancher integration with AWS services: possibilities, challenges, outlook</a>
(abstract and slide-deck) at openSUSE Conference 23 is online and covers parts of this article as well.</p>
<ul class="simple">
<li><a class="reference external" href="https://media.ccc.de/v/4169-rancher-integration-with-aws-services-possibilities-challenges-outlook">media.ccc.de</a>
(includes options to download video and audio)</li>
<li><a class="reference external" href="https://youtu.be/khIg5MT4WGs">youtube.com</a></li>
</ul>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#terminology" id="toc-entry-1">Terminology</a><ul>
<li><a class="reference internal" href="#kubernetes-objects-and-annotations" id="toc-entry-2">Kubernetes objects and annotations</a></li>
<li><a class="reference internal" href="#helm-chart-repository-release" id="toc-entry-3">Helm chart, repository, release</a></li>
<li><a class="reference internal" href="#iam-role-and-irsa" id="toc-entry-4">IAM Role and IRSA</a></li>
</ul>
</li>
<li><a class="reference internal" href="#rancher-backup" id="toc-entry-5">Rancher Backup</a><ul>
<li><a class="reference internal" href="#overview" id="toc-entry-6">Overview</a></li>
<li><a class="reference internal" href="#irsa-configuration" id="toc-entry-7">IRSA Configuration</a></li>
</ul>
</li>
<li><a class="reference internal" href="#conclusion" id="toc-entry-8">Conclusion</a></li>
</ul>
</div>
<div class="section" id="terminology">
<h2><a class="toc-backref" href="#toc-entry-1">Terminology</a></h2>
<div class="section" id="kubernetes-objects-and-annotations">
<h3><a class="toc-backref" href="#toc-entry-2">Kubernetes objects and annotations</a></h3>
<p>I assume you are aware what Kubernetes
<a class="reference external" href="https://kubernetes.io/docs/concepts/overview/working-with-objects/">objects</a>
and <a class="reference external" href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/">annotations</a>
are, if not, that's your chance to brush up your knowledge,
I will use these terms to explain the configuration of Rancher Backup.</p>
</div>
<div class="section" id="helm-chart-repository-release">
<h3><a class="toc-backref" href="#toc-entry-3">Helm chart, repository, release</a></h3>
<p>Again, I assume you are aware of <a class="reference external" href="https://helm.sh">Helm</a> in general and also what a
<a class="reference external" href="https://helm.sh/docs/topics/charts/">chart</a>,
<a class="reference external" href="https://helm.sh/docs/topics/chart_repository/">repository</a> and
<a class="reference external" href="https://helm.sh/docs/glossary/#release">release</a> is. I'm going to to use these terms later.</p>
</div>
<div class="section" id="iam-role-and-irsa">
<h3><a class="toc-backref" href="#toc-entry-4">IAM Role and IRSA</a></h3>
<p>To learn more about AWS IAM Roles and IRSA, I recommend to checkout the first Article of this series:
<a class="reference external" href="https://dominik.wombacher.cc/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html">What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</a></p>
</div>
</div>
<div class="section" id="rancher-backup">
<h2><a class="toc-backref" href="#toc-entry-5">Rancher Backup</a></h2>
<div class="section" id="overview">
<h3><a class="toc-backref" href="#toc-entry-6">Overview</a></h3>
<p>Rancher provides the <a class="reference external" href="https://github.com/rancher/backup-restore-operator">backup-restore-operator</a>,
it can be used to perform <em>scheduled</em> and <em>encrypted</em> backups of all Rancher resources.
Amazon S3 is a supported target, which is a high available and resilient location for backups.
IRSA can be used for authentication by adding the <em>serviceAccount annotation</em> during the installation.</p>
<p>The official documentation about
<a class="reference external" href="https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/backup-restore-and-disaster-recovery/back-up-rancher">Backing up Rancher</a>
provides further information about the functionality and general setup.</p>
</div>
<div class="section" id="irsa-configuration">
<h3><a class="toc-backref" href="#toc-entry-7">IRSA Configuration</a></h3>
<p>The backup operator already supports IRSA but it's not covered in the official Rancher Documentation yet.
It's sufficient to add three additional lines as part of the installation to activate it:</p>
<pre class="code yaml literal-block">
<span class="pygments-nt">serviceAccount</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">annotations</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">eks.amazonaws.com/role-arn</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">arn:aws:iam::1234567890:role/my-rancher-backup-role</span><span class="pygments-w">
</span>
</pre>
<p>The complete values file for Helm could look like this for example:</p>
<pre class="code yaml literal-block">
<span class="pygments-nt">s3</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">bucketName</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">my-rancher-backup-bucket</span><span class="pygments-w">
</span><span class="pygments-nt">credentialSecretName</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">''</span><span class="pygments-w">
</span><span class="pygments-nt">credentialSecretNamespace</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">''</span><span class="pygments-w">
</span><span class="pygments-nt">enabled</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">true</span><span class="pygments-w">
</span><span class="pygments-nt">endpoint</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">s3.us-east-1.amazonaws.com</span><span class="pygments-w">
</span><span class="pygments-nt">region</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">us-east-1</span><span class="pygments-w">
</span><span class="pygments-nt">serviceAccount</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">annotations</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">eks.amazonaws.com/role-arn</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">arn:aws:iam::1234567890:role/my-rancher-backup-role</span><span class="pygments-w">
</span>
</pre>
<p>Besides the <em>serviceAccount annotation</em>, the initial IRSA setup for the cluster and the creation
of the IAM Role, with a link to the service account, used by the Rancher backup operator, is required.</p>
<p>The default service account name is <code>rancher-backup</code> in the namespace <code>cattle-resources-system</code>.</p>
<p>Further information can be found in
<a class="reference external" href="https://dominik.wombacher.cc/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html">What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</a></p>
</div>
</div>
<div class="section" id="conclusion">
<h2><a class="toc-backref" href="#toc-entry-8">Conclusion</a></h2>
<p>At first it was a little tricky to figure out if and how the Rancher backup operator supports IRSA,
as I realized that the necessary code change was already merged a while ago, I was surprised,
it's not mentioned in the documentation yet.</p>
<p>The actual configuration was then quite straight forward and similar as in examples I found in the
<a class="reference external" href="https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html">Amazon EKS documentation</a>.</p>
<p>By default, long-term access key credentials are used by Rancher, which I would recommend to avoid, use
short-term tokes as provided via IRSA instead, I outlined the <em>why</em> already in the first article of this series ;)</p>
<p>In the next article of this series, I will show you how to push log files from Rancher to CloudWatch and
- again - to authenticate with IRSA instead of EC2 Instance IAM Roles or access keys.</p>
<hr class="docutils" />
<p>Article series <strong>Integrate Rancher with AWS services</strong>:</p>
<ol class="arabic simple">
<li><a class="reference external" href="https://dominik.wombacher.cc/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html">What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</a></li>
<li><strong>Rancher on AWS, Backup to S3 with IRSA for Authentication</strong></li>
<li><a class="reference external" href="https://dominik.wombacher.cc/posts/rancher-on-aws-logging-to-cloudwatch-with-irsa-for-authentication.html">Rancher on AWS, Logging to CloudWatch with IRSA for Authentication</a></li>
<li>Rancher on AWS, SAML Authentication with AWS IAM Identity Center as SAML IdP (coming soon)</li>
<li>Rancher on AWS, GitOps with Fleet and AWS CodeCommit (coming soon)</li>
</ol>
</div>
What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?2023-07-03T00:00:00+02:002023-07-12T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2023-07-03:/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>This is the first Article of the Series <strong>Integrate Rancher with AWS services</strong>,
I did quite a lot with Rancher on Amazon Web Services recently and want to share some ... <a class="read-more" href="/posts/what-is-aws-iam-roles-for-service-accounts-irsa.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>This is the first Article of the Series <strong>Integrate Rancher with AWS services</strong>,
I did quite a lot with Rancher on Amazon Web Services recently and want to share some of my
experiences about the necessary configuration to interact with AWS services for Backup,
Logging and Authentication.</p>
<p>I will cover
<a class="reference external" href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IAM roles for service accounts</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230705190236/https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.14-064542/https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">[2]</a>),
what it is and how it works under the hood on Amazon Elastic Kubernetes Service (EKS), in this post.</p>
<p>Let's start with a brief overview of the identity and access management challenges
that can be solved by using IRSA and some important terminologies.</p>
<p><strong>Update</strong>: The recording of my talk
<a class="reference external" href="https://events.opensuse.org/conferences/oSC23/program/proposals/4169">Rancher integration with AWS services: possibilities, challenges, outlook</a>
(abstract and slide-deck) at openSUSE Conference 23 is online and covers parts of this article as well.</p>
<ul class="simple">
<li><a class="reference external" href="https://media.ccc.de/v/4169-rancher-integration-with-aws-services-possibilities-challenges-outlook">media.ccc.de</a>
(includes options to download video and audio)</li>
<li><a class="reference external" href="https://youtu.be/khIg5MT4WGs">youtube.com</a></li>
</ul>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#terminology" id="toc-entry-1">Terminology</a><ul>
<li><a class="reference internal" href="#aws-iam-role-and-policy" id="toc-entry-2">AWS IAM Role and Policy</a></li>
<li><a class="reference internal" href="#amazon-elastic-compute-cloud-ec2-instance-iam-role" id="toc-entry-3">Amazon Elastic Compute Cloud (EC2) Instance IAM Role</a></li>
<li><a class="reference internal" href="#aws-iam-access-key-credentials" id="toc-entry-4">AWS IAM access key credentials</a></li>
</ul>
</li>
<li><a class="reference internal" href="#iam-roles-for-service-accounts-irsa" id="toc-entry-5">IAM Roles for Service Accounts (IRSA)</a><ul>
<li><a class="reference internal" href="#irsa-under-the-hood" id="toc-entry-6">IRSA under the hood</a></li>
<li><a class="reference internal" href="#pod-identity-webhook" id="toc-entry-7">Pod Identity Webhook</a></li>
</ul>
</li>
<li><a class="reference internal" href="#conclusion" id="toc-entry-8">Conclusion</a></li>
</ul>
</div>
<div class="section" id="terminology">
<h2><a class="toc-backref" href="#toc-entry-1">Terminology</a></h2>
<div class="section" id="aws-iam-role-and-policy">
<h3><a class="toc-backref" href="#toc-entry-2">AWS IAM Role and Policy</a></h3>
<p>To grant an application access to AWS services, you need an AWS IAM Role and Policy.
A IAM Role contains a IAM Permission policy and a IAM Trust relationship.
The policy defines <em>what</em> can be done with the specified service, for example,
uploading files to a Amazon Simple Storage Service (S3) Bucket.
The relationship defines <em>who</em> can assume the IAM Role to perform the actions
based on the attached permission policy.</p>
<pre class="code text literal-block">
IAM Permission policy >> IAM Role << IAM Trust relationship
</pre>
</div>
<div class="section" id="amazon-elastic-compute-cloud-ec2-instance-iam-role">
<h3><a class="toc-backref" href="#toc-entry-3">Amazon Elastic Compute Cloud (EC2) Instance IAM Role</a></h3>
<p>When a IAM Role is attached to an EC2 Instance, every application running on this specific instance
has the same level of permissions. If you have one single application running, it's good practice
to grant permissions that way. But imagine you have multiple applications running, for example
in different containers like in a Kubernetes Environment, then all of them inherit the same set of
permissions.</p>
<p>For Example: The IAM Role grants write access to a S3 Bucket, because container #1 is supposed
to upload files, by using an EC2 Instance IAM Role, container #2 and container #3 can also
write to the same S3 Bucket. Those container run a complete different application, maybe even
outside your own control. Worst case, this could cause data corruption, data loss or even a data leak.</p>
<pre class="code text literal-block">
container 1 --| IAM Role
| |
container 2 --|-- EC2 Instance -- S3 Bucket
|
container 3 --|
</pre>
</div>
<div class="section" id="aws-iam-access-key-credentials">
<h3><a class="toc-backref" href="#toc-entry-4">AWS IAM access key credentials</a></h3>
<p>Long-term credentials should be avoided whenever possible from a security best practice point of view.
AWS access keys are linked to a IAM user and have no expire date. They could be leaked or shared
between multiple applications and therefore might have to broad permissions assigned.</p>
<p>I think it's obvious why those type of credentials should not be used, in my opinion not even during
development. Start early in the process to replace long-term with short-term credentials!</p>
</div>
</div>
<div class="section" id="iam-roles-for-service-accounts-irsa">
<h2><a class="toc-backref" href="#toc-entry-5">IAM Roles for Service Accounts (IRSA)</a></h2>
<p>Now that I explained why EC2 Instance IAM Roles and IAM access keys are not a good idea in a
Kubernetes environment, what's the alternative? IRSA to the rescue ;) With this feature, IAM Roles
are assigned to Kubernetes Service Accounts, which are then linked to specific pods. That way
you grant granular permissions on a per service basis inside your Kubernetes cluster.</p>
<p>It's an AWS feature and available out-of-the-box on Amazon EKS. the open source solution that makes
the dynamic configuration and assignment of temporary credentials possible is
<a class="reference external" href="https://github.com/aws/amazon-eks-pod-identity-webhook">Amazon EKS Pod Identity Webhook</a>.</p>
<p>AWS CLI and AWS SDK both fully support IRSA, every application inside a Pod that leverages the CLI
or SDK to interact with AWS services, can use IRSA instead of, for example, access keys with none or
just minor code changes.</p>
<div class="section" id="irsa-under-the-hood">
<h3><a class="toc-backref" href="#toc-entry-6">IRSA under the hood</a></h3>
<p>Personally I'm super excited about IRSA and how it works, I think it should be used for every
Kubernetes workload on AWS, there is really no reason at all to stick with EC2 Instance IAM Roles
or even access key credentials.</p>
<p>That's why I want to dive deeper into how IRSA works and what magic is happening under the hood.</p>
<img alt="AWS IAM Roles for Service Accounts (IRSA) under the hood, architecture overview" src="https://dominik.wombacher.cc/images/AWS_IRSA_Architecture_Overview_800_72.jpg" />
<ol class="arabic">
<li><p class="first">A reference between the EKS Cluster and IAM is established via OIDC. This is a one-time setup
per cluster and can be done via <code>eksctl</code>. Example:</p>
<pre class="code text literal-block">
eksctl utils associate-iam-oidc-provider --cluster <CUSTER_NAME> --approve
</pre>
</li>
<li><p class="first">A reference between a Kubernetes service account and a IAM Role has to be created. This can be
done via <code>eksctl</code> in two ways, either with an account and the role managed by EKS, or by
assigning a role to an existing Kubernetes service account. In case of Rancher, it's option two
because Rancher creates and manages Kubernetes service accounts on it's own.
Example:</p>
<pre class="code text literal-block">
eksctl create iamserviceaccount --name <SA_NAME> --namespace <NS_NAME> --cluster <CLUSTER_NAME> \
--role-name <ROLE_NAME> --attach-policy-arn <IAM_POLICY_ARN> --approve --role-only
</pre>
</li>
<li><p class="first">The Kubernetes resource is configured with a appropriate service account annotation, for example
as part of a installation via Helm or by adjusting a Manifest.</p>
</li>
<li><p class="first">As soon a Pod with a service account annotation comes up, the Pod Identity Webhook will be
triggered and reconfigure (mutate) the Pod to use IRSA</p>
</li>
<li><p class="first">The Pod assumes the specified IAM Role and connects to the AWS Security Token Service</p>
</li>
<li><p class="first">AWS STS verifies the request by contacting AWS IAM</p>
</li>
<li><p class="first">If the request could be verified and is valid, AWS STS assigns temporary credentials</p>
</li>
</ol>
<p>AWS CLI and applications leveraging the AWS SDK, can now interact with AWS services based on the permissions
of the IAM Role, without the need of EC2 Instance IAM Roles or long-term access key credentials.</p>
<p>As soon the temporary credentials are expired, the process automatically starts over from step #5
to get a new set of temporary credentials, there is no manual interaction required as soon step
#1 till #3 are completed.</p>
<p>Further information and examples can be found in the
<a class="reference external" href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">AWS Documentation</a>
about IRSA on Amazon EKS.</p>
</div>
<div class="section" id="pod-identity-webhook">
<h3><a class="toc-backref" href="#toc-entry-7">Pod Identity Webhook</a></h3>
<p>I explained that the Pod Identity Webhook performs a reconfiguration / mutation in step #4 of the
IRSA Architecture Diagram. What happens in this step, is that the following Environment variables
and Volumes are added to the Pod:</p>
<pre class="code yaml literal-block">
<span class="pygments-nt">env</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">AWS_DEFAULT_REGION</span><span class="pygments-w">
</span><span class="pygments-nt">value</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">us-west-2</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">AWS_REGION</span><span class="pygments-w">
</span><span class="pygments-nt">value</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">us-west-2</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">AWS_ROLE_ARN</span><span class="pygments-w">
</span><span class="pygments-nt">value</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">"arn:aws:iam::111122223333:role/s3-reader"</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">AWS_WEB_IDENTITY_TOKEN_FILE</span><span class="pygments-w">
</span><span class="pygments-nt">value</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">AWS_STS_REGIONAL_ENDPOINTS</span><span class="pygments-w">
</span><span class="pygments-nt">value</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">"regional"</span><span class="pygments-w">
</span><span class="pygments-nt">volumeMounts</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">mountPath</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">"/var/run/secrets/eks.amazonaws.com/serviceaccount/"</span><span class="pygments-w">
</span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">aws-token</span><span class="pygments-w">
</span><span class="pygments-nt">volumes</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">name</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">aws-token</span><span class="pygments-w">
</span><span class="pygments-nt">projected</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">sources</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">serviceAccountToken</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-nt">audience</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-s">"sts.amazonaws.com"</span><span class="pygments-w">
</span><span class="pygments-nt">expirationSeconds</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">86400</span><span class="pygments-w">
</span><span class="pygments-nt">path</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">token</span><span class="pygments-w">
</span>
</pre>
<p>The <em>region</em> and <em>role arn</em> values are example data and set according to your IAM Role configuration
performed in step #2. The Environment variables are used by AWS CLI or SDK to understand that the
authentication need to be performed via a token, which is available in the mount <code>aws-token</code>.
The content of this mount is updated based on the response from AWS STS in step #7.</p>
</div>
</div>
<div class="section" id="conclusion">
<h2><a class="toc-backref" href="#toc-entry-8">Conclusion</a></h2>
<p><a class="reference external" href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230705190236/https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.14-064542/https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">[2]</a>)
is in my opinion a very elegant way to increase security and address some of the most critical IAM challenges.
The initial setup on Amazon EKS is normally done within a few minutes, afterwards it's a solution that just works.</p>
<p>Given the fact that the Pod Identity Webhook component is
<a class="reference external" href="https://github.com/aws/amazon-eks-pod-identity-webhook">open source</a>, it's also possible to use IRSA
on other Kubernetes clusters, which are deployed directly on EC2 and using a CNCF compliant distribution.</p>
<p>With this deep dive into IRSA I wanted to share the benefits and help you to better understand the upcoming
articles of this series about Backup and Logging with Rancher on AWS, where it's about how to get it working
with IRSA and to avoid long-term credentials.</p>
<hr class="docutils" />
<p>Article series <strong>Integrate Rancher with AWS services</strong>:</p>
<ol class="arabic simple">
<li><strong>What is IAM Roles for Service Accounts (IRSA) and Amazon EKS Pod Identity Webhook?</strong></li>
<li><a class="reference external" href="https://dominik.wombacher.cc/posts/rancher-on-aws-backup-to-s3-with-irsa-for-authentication.html">Rancher on AWS, Backup to S3 with IRSA for Authentication</a></li>
<li><a class="reference external" href="https://dominik.wombacher.cc/posts/rancher-on-aws-logging-to-cloudwatch-with-irsa-for-authentication.html">Rancher on AWS, Logging to CloudWatch with IRSA for Authentication</a></li>
<li>Rancher on AWS, SAML Authentication with AWS IAM Identity Center as SAML IdP (coming soon)</li>
<li>Rancher on AWS, GitOps with Fleet and AWS CodeCommit (coming soon)</li>
</ol>
</div>
How-to update Rancher Manager - deployed via Rancher Setup from AWS Marketplace - to the latest version2023-05-05T00:00:00+02:002023-05-05T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2023-05-05:/posts/how-to-update-rancher-manager-deployed-via-rancher-setup-from-aws-marketplace-to-the-latest-version.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>If you used <a class="reference external" href="https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">Rancher Setup</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713090231/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-090237/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[2]</a>)
from AWS Marketplace to deploy Ranger Manager, you can perform a update to the latest version via Helm,
the initial Rancher Setup ... <a class="read-more" href="/posts/how-to-update-rancher-manager-deployed-via-rancher-setup-from-aws-marketplace-to-the-latest-version.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>If you used <a class="reference external" href="https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">Rancher Setup</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713090231/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-090237/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[2]</a>)
from AWS Marketplace to deploy Ranger Manager, you can perform a update to the latest version via Helm,
the initial Rancher Setup tool isn't involved in this process.</p>
<p>The <a class="reference external" href="https://documentation.suse.com/trd/kubernetes/single-html/gs_rancher_aws-marketplace/">installation guide from SUSE</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713095305/https://documentation.suse.com/trd/kubernetes/single-html/gs_rancher_aws-marketplace/#id-upgrade-to-latest-version">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-095312/https://documentation.suse.com/trd/kubernetes/single-html/gs_rancher_aws-marketplace/%23id-upgrade-to-latest-version">[2]</a>)
in Section 4 - <em>Upgrade to latest version</em> - refers to Section 3 - <em>Upgrade Rancher</em> - in the official
<a class="reference external" href="https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/upgrades#3-upgrade-rancher">Rancher upgrade guide</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713095342/https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/upgrades#3-upgrade-rancher">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-095344/https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/upgrades">[2]</a>).</p>
<p>You can follow this guide, but there is one major difference, the deployment is called <code>rancher-stable</code>
and not <code>rancher</code> if Rancher Setup from AWS Marketplace was used. Ensure to replace it accordingly, otherwise
you will see some error messages that the Helm deployment can't be found.</p>
<p>Following a short summary of the plain commands, adjusted to match the deployment name, for further details about all
required commands, the specific order and what they are doing, please take a look into the above linked upgrade guide.</p>
<pre class="code text literal-block">
helm get values rancher-stable -n cattle-system -o yaml > values.yaml
helm upgrade rancher-stable rancher-<CHART_REPO>/rancher \
--namespace cattle-system \
-f values.yaml \
--version=2.6.8
</pre>
<p>I created a <a class="reference external" href="https://github.com/SUSE/technical-reference-documentation/issues/75">GitHub Issue</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713095250/https://github.com/SUSE/technical-reference-documentation/issues/75">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-095255/https://github.com/SUSE/technical-reference-documentation/issues/75">[2]</a>)
to get a hint added to the section in the installation guide that the Helm deployment name is different.
I think this would safe time and avoid frustration when it comes to a upgrade.</p>
Rancher Setup from AWS Marketplace, no permissions to access the underlying Amazon EKS Cluster directly2023-04-28T00:00:00+02:002023-04-28T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2023-04-28:/posts/rancher-setup-from-aws-marketplace-no-permission-to-access-underlying-amazon-eks-cluster-directly.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p><a class="reference external" href="https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">Rancher Setup</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713090231/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-090237/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[2]</a>)
from AWS Marketplace deploys an EKS cluster and installs <a class="reference external" href="https://www.rancher.com/products/rancher">Rancher</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713093613/https://www.rancher.com/products/rancher">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-093617/https://www.rancher.com/products/rancher">[2]</a>) on top.
It will create all necessary resources, the outcome is a ... <a class="read-more" href="/posts/rancher-setup-from-aws-marketplace-no-permission-to-access-underlying-amazon-eks-cluster-directly.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p><a class="reference external" href="https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">Rancher Setup</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713090231/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-090237/https://aws.amazon.com/marketplace/pp/prodview-go7ent7goo5ae">[2]</a>)
from AWS Marketplace deploys an EKS cluster and installs <a class="reference external" href="https://www.rancher.com/products/rancher">Rancher</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713093613/https://www.rancher.com/products/rancher">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-093617/https://www.rancher.com/products/rancher">[2]</a>) on top.
It will create all necessary resources, the outcome is a high-available and production
ready Rancher Manager environment. Which is great and I highly recommend it for people that
don't need to customize every detail and just want to get started quickly.</p>
<p>If you want to learn more about Rancher Setup, SUSE provides a comprehensive
<a class="reference external" href="https://documentation.suse.com/trd/kubernetes/single-html/gs_rancher_aws-marketplace/">installation guide</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713095305/https://documentation.suse.com/trd/kubernetes/single-html/gs_rancher_aws-marketplace/#id-upgrade-to-latest-version">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-095312/https://documentation.suse.com/trd/kubernetes/single-html/gs_rancher_aws-marketplace/%23id-upgrade-to-latest-version">[2]</a>).</p>
<p>By default, access to EKS is tunneled through Rancher, in the event of a problem with the Rancher
installation, direct access to EKS via kubectl could be required to get Rancher up and running again.</p>
<p>But as much I like the Rancher Setup Wizard, the way resources get deployed will most likely causing a problem
when you try to directly access the underlying EKS cluster that was deployed by Rancher Setup.</p>
<p>Let me quote from the <a class="reference external" href="https://github.com/SUSE-Enceladus/suse-rancher-setup/issues/217">GitHub Issue</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20230713091405/https://github.com/SUSE-Enceladus/suse-rancher-setup/issues/217">[1]</a>,
<a class="reference external" href="https://archive.today/2023.07.13-091412/https://github.com/SUSE-Enceladus/suse-rancher-setup/issues/217">[2]</a>) I opened:</p>
<blockquote>
<div class="line-block">
<div class="line">The problem is, only the user or assumed Role that created the EKS Cluster has <code>system:masters</code> access permissions by default.</div>
<div class="line">In case of the Rancher Setup, that's the IAM Role / Instance Profile I created prior the setup and attached to the EC2 instance.</div>
<div class="line">Without an additional step, access to the EKS Cluster is only possible through Rancher but not directly.</div>
</div>
</blockquote>
<p>I make the assumption you have some understanding about AWS and IAM Roles as well as EC2 Instance Profiles are not new to you.
Rancher Setup is a EC2 Instance with a Web Wizard, you grant the necessary permissions to deploy resources as IAM Role which
will be attached to the EC2 Instance. That makes this Role to the owner of the new deployed EKS Cluster.</p>
<p>Right now, the setup doesn't provide a option to change the owner or print a warning that this is something the
User should take care of before proceeding. This can be achieved by manually editing the <code>aws-auth</code> configmap
by running the command <code>kubectl edit configmap aws-auth --namespace kube-system</code></p>
<pre class="code yaml literal-block">
<span class="pygments-p-Indicator">[</span><span class="pygments-nv">...</span><span class="pygments-p-Indicator">]</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-nt">rolearn</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">arn:aws:iam::1234567890:role/MyRole</span><span class="pygments-w">
</span><span class="pygments-nt">username</span><span class="pygments-p">:</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">admin</span><span class="pygments-w">
</span><span class="pygments-nt">groups</span><span class="pygments-p">:</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">-</span><span class="pygments-w"> </span><span class="pygments-l-Scalar-Plain">system:masters</span><span class="pygments-w">
</span><span class="pygments-p-Indicator">[</span><span class="pygments-nv">...</span><span class="pygments-p-Indicator">]</span><span class="pygments-w">
</span>
</pre>
<p>I made the suggestion to include it in the actual setup to make it more customer friendly,
but wanted to document the workaround to help other people that might run into the same problem I did.</p>
AWS Certified SysOps Administrator - Associate2022-12-28T00:00:00+01:002022-12-28T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-12-28:/posts/aws-certified-sysops-administrator-associate.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>I completed the AWS Associate Trifecta by passing the third Exam and becoming an
<strong>AWS Certified SysOps Administrator - Associate</strong> today. I'm very proud about
getting all three Associate Certifications within ... <a class="read-more" href="/posts/aws-certified-sysops-administrator-associate.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>I completed the AWS Associate Trifecta by passing the third Exam and becoming an
<strong>AWS Certified SysOps Administrator - Associate</strong> today. I'm very proud about
getting all three Associate Certifications within one month, preparing for them
boosted my AWS knowledge and provides massive value in my job.</p>
<p>Again I just kept it simple, focused on Hands-On Labs from
<a class="reference external" href="https://acloudguru.com/course/aws-certified-sysops-administrator-associate-8Lkj">A Cloud Guru</a> and the
<a class="reference external" href="https://portal.tutorialsdojo.com/product/tutorials-dojo-study-guide-ebook-aws-certified-sysops-administrator-associate/">eBook</a>
as well as <a class="reference external" href="https://portal.tutorialsdojo.com/courses/aws-certified-sysops-administrator-associate-practice-exams/">Practice Exam</a>
from Tutorials Dojo. The content overlap between the Solutions Architect, Developer Exam and SysOps Administrator is quite large,
I guess it's around 60%, also a lot of questions can be answered with common IT knowledge and understanding,
I recommend to not overthinking it, trust you and your experience, focus on topics you have some gaps and just go for it.</p>
<div class="section" id="summary">
<h2>Summary</h2>
<p>Earners of this certification have a comprehensive understanding on how to deploy, manage, and operate IT systems on the AWS Cloud.
They demonstrated the ability to migrate on-premises workloads to AWS and monitor, scale, and secure systems on the AWS platform.
Badge owners are able to provide guidance on implementing best practices for cloud operations.</p>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="skills">
<h2>Skills</h2>
<ul class="simple">
<li>Amazon Web Services</li>
<li>AWS</li>
<li>AWS Certification</li>
<li>AWS Cloud</li>
<li>Cloud Certification</li>
<li>Cloud Infrastructure</li>
<li>Cloud Migration</li>
<li>Cloud Operations</li>
<li>Cloud Storage Optimization</li>
</ul>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="certificate">
<h2>Certificate</h2>
<ul class="simple">
<li>Downloads<ul>
<li><a class="reference external" href="/certificates/Dominik_Wombacher_AWS_Certified_SysOps_Administrator_-_Associate_certificate.pdf">Certificate (ID: 45F4KT71YF141LW8)</a> (PDF, 42.6k)</li>
<li><a class="reference external" href="/certificates/aws-certified-sysops-administrator-associate.png">Badge</a> (PNG, 105.1K)</li>
</ul>
</li>
<li>Links<ul>
<li><a class="reference external" href="https://www.credly.com/badges/a6fc0b5a-9be1-4047-b0ce-13355a55c11d">Credly Badge</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/2/https://www.credly.com/badges/a6fc0b5a-9be1-4047-b0ce-13355a55c11d">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.30-123303/https://www.credly.com/badges/a6fc0b5a-9be1-4047-b0ce-13355a55c11d">[2]</a>)</li>
</ul>
</li>
</ul>
</div>
AWS Certified Developer - Associate2022-12-19T00:00:00+01:002022-12-19T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-12-19:/posts/aws-certified-developer-associate.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Continuing my AWS Journey and on my way to get the Associate Trifecta, I passed the AWS Certified Developer - Associate
Exam today, <strong>AWS Certified SysOps Administrator - Associate</strong> up next.</p>
<p>During ... <a class="read-more" href="/posts/aws-certified-developer-associate.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Continuing my AWS Journey and on my way to get the Associate Trifecta, I passed the AWS Certified Developer - Associate
Exam today, <strong>AWS Certified SysOps Administrator - Associate</strong> up next.</p>
<p>During my <a class="reference external" href="https://dominik.wombacher.cc/posts/aws-certified-solutions-architect-associate.html">AWS Certified Solutions Architect - Associate</a>
preparation, I wasted too much time with <em>"the wrong"</em> training resources. This time I just used the
<a class="reference external" href="https://portal.tutorialsdojo.com/product/tutorials-dojo-study-guide-ebook-aws-certified-developer-associate/">eBook</a>
and <a class="reference external" href="https://portal.tutorialsdojo.com/courses/aws-certified-developer-associate-practice-exams/">Practice Exam</a>
from Tutorials Dojo. The content overlap between the Solutions Architect and Developer Exam is in my opinion around 60%,
also a lot of concepts are not specific to AWS but about development in general, so no need to enter the tutorial hell
and learn the same things over and over again ;)</p>
<div class="section" id="summary">
<h2>Summary</h2>
<p>Earners of this certification have a comprehensive understanding of application life-cycle management.
They demonstrated proficiency in writing applications with AWS service APIs, AWS CLI, and SDKs;
using containers; and deploying with a CI/CD pipeline. Badge owners are able to develop, deploy,
and debug cloud-based applications that follow AWS best practices.</p>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="skills">
<h2>Skills</h2>
<ul class="simple">
<li>Amazon Web Services</li>
<li>AWS</li>
<li>AWS Certification</li>
<li>AWS Cloud</li>
<li>Cloud Certification</li>
<li>Code Deployment</li>
<li>Code Development</li>
</ul>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="certificate">
<h2>Certificate</h2>
<ul class="simple">
<li>Downloads<ul>
<li><a class="reference external" href="/certificates/Dominik_Wombacher_AWS_Certified_Developer_-_Associate.pdf">Certificate (ID: SW87H5L1SNQEQYS2)</a> (PDF, 42.7k)</li>
<li><a class="reference external" href="/certificates/aws-certified-solutions-architect-associate.png">Badge</a> (PNG, 92.2K)</li>
</ul>
</li>
<li>Links<ul>
<li><a class="reference external" href="https://www.credly.com/badges/15a4342a-5719-4c68-bc37-cb15aedb3e61">Credly Badge</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223063415/https://www.credly.com/badges/15a4342a-5719-4c68-bc37-cb15aedb3e61">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-063433/https://www.credly.com/badges/15a4342a-5719-4c68-bc37-cb15aedb3e61">[2]</a>)</li>
</ul>
</li>
</ul>
</div>
Guest at Emiel Brok's Friday Ketchup2022-12-10T00:00:00+01:002022-12-10T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-12-10:/posts/guest-at-emiel-broks-friday-ketchup.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>During the SUSE Sales Summit 2022 in Malta this week, I finally had the chance to meet Emiel in person.
I'm a huge fan of his <a class="reference external" href="https://www.youtube.com/watch?v=VNhbL1-og4Q&list=PLB-EQNAXFCc9pByWazAKct05QYztYbFFd">Friday Ketchup</a>
and had ... <a class="read-more" href="/posts/guest-at-emiel-broks-friday-ketchup.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>During the SUSE Sales Summit 2022 in Malta this week, I finally had the chance to meet Emiel in person.
I'm a huge fan of his <a class="reference external" href="https://www.youtube.com/watch?v=VNhbL1-og4Q&list=PLB-EQNAXFCc9pByWazAKct05QYztYbFFd">Friday Ketchup</a>
and had the pleasure to be his guest!</p>
<p>I have to admit that I was a little nervous and that we jumped right into it, a little unprepared
and after three long days without much sleep, didn't made it better, but I think we still rocked it ;)</p>
<p>We talked about the song I picked as intro / outro, my job as Sr. Partner Solutions Architect for SUSE at AWS,
my passion about open source and my personal view on the Partnership between AWS and SUSE.</p>
<p>You can find it on YouTube: <a class="reference external" href="https://youtu.be/6R3RZ57LX9o">Friday Ketchup Powerful Partnership with AWS</a></p>
AWS Certified Solutions Architect - Associate2022-11-29T00:00:00+01:002022-11-29T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-11-29:/posts/aws-certified-solutions-architect-associate.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Becoming a <strong>AWS Certified Solutions Architect - Associate</strong> is part of my On-boarding at AWS, but I would do it either way ;)</p>
<p>I passed the Exam today after around three weeks ... <a class="read-more" href="/posts/aws-certified-solutions-architect-associate.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Becoming a <strong>AWS Certified Solutions Architect - Associate</strong> is part of my On-boarding at AWS, but I would do it either way ;)</p>
<p>I passed the Exam today after around three weeks preparation, with a couple of hours studying per day. That I already took the
<a class="reference external" href="https://dominik.wombacher.cc/posts/aws-certified-cloud-practitioner.html">AWS Certified Cloud Practitioner</a> Exam in July,
before it was even clear that I will become an Amazonian, helped a lot and saved quite some time.
It's not mandatory to take the Cloud Practitioner first, but I highly recommend it.</p>
<p>I tried a lot of learning resources, actually too much, after some frustrating experiences with (expensive)
online courses and a lot of wasted time I suggest: Keep it simple!</p>
<p>You don't need multiple courses and AWS SkillBuilder offers already a lot of good and free content, like
<a class="reference external" href="https://explore.skillbuilder.aws/learn/learning_plan/view/1044/solutions-architect-learning-plan">Solutions Architect Learning Plan</a>.
I also found the <a class="reference external" href="https://portal.tutorialsdojo.com/product/tutorials-dojo-study-guide-ebook-aws-certified-solutions-architect-associate/">eBook</a>
and <a class="reference external" href="https://portal.tutorialsdojo.com/courses/aws-certified-solutions-architect-associate-practice-exams/">Practice Exam</a>
from Tutorials Dojo very helpful, that's already enough learning material to pass the Exam.</p>
<p>Important: First the Trainings, then (or in parallel if you want) the eBook, then the practice exams.
Don't start with the practice exams and don't do them over and over again, you would just start to memorize the answers
but to pass the Exam it's important to understand the actual concept.</p>
<p>Last but not least, I played AWS Cloud Quest which for sure also had a positive impact in my understanding and Hands-On experience.
I guess it's just hard to measure how large the influence was, but either way, it was fun and if you have the time, just start playing and enjoy it.</p>
<div class="section" id="summary">
<h2>Summary</h2>
<p>Earners of this certification have a comprehensive understanding of AWS services and technologies.
They demonstrated the ability to build secure and robust solutions using architectural design principles based
on customer requirements. Badge owners are able to strategically design well-architected distributed systems
that are scalable, resilient, efficient, and fault-tolerant..</p>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="skills">
<h2>Skills</h2>
<ul class="simple">
<li>Amazon Web Services</li>
<li>AWS</li>
<li>AWS Certification</li>
<li>AWS Cloud</li>
<li>Cloud Architecture</li>
<li>Cloud Certification</li>
<li>Cloud Data</li>
<li>Cloud Infrastructure</li>
<li>Cloud Services</li>
</ul>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="certificate">
<h2>Certificate</h2>
<ul class="simple">
<li>Downloads<ul>
<li><a class="reference external" href="/certificates/Dominik_Wombacher_AWS_Certified_Solutions_Architect_-_Associate.pdf">Certificate (ID: V2YYVPK1YEV4QKKE)</a> (PDF, 42.6k)</li>
<li><a class="reference external" href="/certificates/aws-certified-solutions-architect-associate.png">Badge</a> (PNG, 102.7K)</li>
</ul>
</li>
<li>Links<ul>
<li><a class="reference external" href="https://www.credly.com/badges/7191dc28-80f4-4d41-9101-06d2765e916c">Credly Badge</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223063551/https://www.credly.com/badges/7191dc28-80f4-4d41-9101-06d2765e916c">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-063625/https://www.credly.com/badges/7191dc28-80f4-4d41-9101-06d2765e916c">[2]</a>)</li>
</ul>
</li>
</ul>
</div>
AWS Cloud Quest, a playful way to learn AWS2022-11-13T00:00:00+01:002022-11-13T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-11-13:/posts/learning-aws-by-gamification-with-aws-cloud-quest.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>I don't have much time anymore to play games, probably a reason why I love gamification,
that's something that raise the chances that I continuously invest time in something.</p>
<p>I'm ... <a class="read-more" href="/posts/learning-aws-by-gamification-with-aws-cloud-quest.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>I don't have much time anymore to play games, probably a reason why I love gamification,
that's something that raise the chances that I continuously invest time in something.</p>
<p>I'm looking for different ways to improve my AWS skills and found <a class="reference external" href="https://aws.amazon.com/training/digital/aws-cloud-quest/">AWS Cloud Quest</a>,
an open world role-playing game that teaches you how to build real-world AWS solutions using cloud concepts and exercises.</p>
<p>The <strong>Cloud Practitioner</strong> Role can be played for free, I did that already a few months ago as part of my
<a class="reference external" href="https://dominik.wombacher.cc/posts/aws-certified-cloud-practitioner.html">AWS Certified Cloud Practitioner</a> Exam prep,
I loved the experience and think it really helped me to pass the Exam and strengthen my AWS knowledge. So I used
AWS Cloud Quest again, this time I played the <strong>Solutions Architect</strong>, as one of the resources to prepare for my
upcoming AWS Certified Solutions Architect Exam.</p>
<p>I like the way how the game is designed and guides you through a lot of different assignments and challenges you have to solve.
Just take a look and give it a try if you like some gamification and fun way of learning :) You can also earn nice Credly Badges!</p>
<p>I've got <a class="reference external" href="https://www.credly.com/badges/3d17c073-27ae-476a-bfb5-088b540061d7">AWS Cloud Quest: Cloud Practitioner</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223064002/https://www.credly.com/badges/3d17c073-27ae-476a-bfb5-088b540061d7">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-064015/https://www.credly.com/badges/3d17c073-27ae-476a-bfb5-088b540061d7">[2]</a>) and
<a class="reference external" href="https://www.credly.com/badges/7c6bdfb0-7008-45bb-8816-538caca64647">AWS Cloud Quest: Solutions Architect</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223063708/https://www.credly.com/badges/7c6bdfb0-7008-45bb-8816-538caca64647">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-063753/https://www.credly.com/badges/7c6bdfb0-7008-45bb-8816-538caca64647">[2]</a>) so far.</p>
<p>But at least the Roles <strong>Serverless Developer</strong> and <strong>Security</strong> are still on my bucket list!</p>
My first month as Sr. Partner Solutions Architect at AWS2022-10-31T00:00:00+01:002022-10-31T00:00:00+01:00Dominik Wombachertag:dominik.wombacher.cc,2022-10-31:/posts/my-first-month-as-sr-partner-solutions-architect-at-aws.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Wow what a ride! Begin of October I started at AWS and have to admit, this was a huge step and massive change.
I joined the Linux & IBM Alliance Team ... <a class="read-more" href="/posts/my-first-month-as-sr-partner-solutions-architect-at-aws.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Wow what a ride! Begin of October I started at AWS and have to admit, this was a huge step and massive change.
I joined the Linux & IBM Alliance Team as Sr. Partner Solutions Architect, right now with a focus on everything around SUSE.
My job is - very simplified - to support AWS Customer and Partner to migrate (SUSE) workloads to AWS and to optimize them based on best practices.</p>
<p>During the first three months I'm going through a impressive on-boarding program with a lot of trainings and tasks throughout
all areas relevant to my Role at AWS. I never saw something like that before, it's a huge investment from AWS into new Employees
and helps me to get settled, understand the culture, how things working at AWS, improve a lot of different Skills and prepare for my new Job.</p>
<p>Besides a lot of other Trainings, I had to chance to dig deeper and earn the
<a class="reference external" href="https://www.credly.com/badges/c6d57fbc-28c4-43a2-bcbd-eedeb008b3ca">AWS Partner: Accreditation (Technical)</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223064211/https://www.credly.com/badges/c6d57fbc-28c4-43a2-bcbd-eedeb008b3ca">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-064223/https://www.credly.com/badges/c6d57fbc-28c4-43a2-bcbd-eedeb008b3ca">[2]</a>),
<a class="reference external" href="https://www.credly.com/badges/b9627dd1-03d6-4396-a94b-38fd8709b6fa">AWS Partner: Cloud Economics Accreditation</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223064253/https://www.credly.com/badges/b9627dd1-03d6-4396-a94b-38fd8709b6fa">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-064324/https://www.credly.com/badges/b9627dd1-03d6-4396-a94b-38fd8709b6fa">[2]</a>) and
<a class="reference external" href="https://www.credly.com/badges/f02a84e1-5260-46e9-8d44-618136f7d82f">AWS Partner: Sales Accreditation (Business)</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223064334/https://www.credly.com/badges/f02a84e1-5260-46e9-8d44-618136f7d82f">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-064407/https://www.credly.com/badges/f02a84e1-5260-46e9-8d44-618136f7d82f">[2]</a>) Badge.</p>
<p>It's amazing but also sometimes overwhelming, so many new People, Tools, Processes and ways of working.</p>
<p>I guess it takes some time to realize that I passed one of the most demanding and comprehensive hiring processes and
have the once in a lifetime opportunity to work with the smartest people around the world.</p>
AWS Certified Cloud Practitioner2022-07-11T00:00:00+02:002022-07-11T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2022-07-11:/posts/aws-certified-cloud-practitioner.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Cloud here I come, didn't planned to take the AWS Practitioner so quickly after the Azure Fundamentals, but I was so curious about things that both might have in common ... <a class="read-more" href="/posts/aws-certified-cloud-practitioner.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>Cloud here I come, didn't planned to take the AWS Practitioner so quickly after the Azure Fundamentals, but I was so curious about things that both might have in common as well as the differences, that I couldn't resist. Exam passed and now I'm a proud "AWS Certified Cloud Practitioner" :)</p>
<p>I prepared for this Exam with the great resources Amazon offers (for free) on <a class="reference external" href="https://explore.skillbuilder.aws">AWS Skill Builder</a>:</p>
<ul class="simple">
<li><a class="reference external" href="https://explore.skillbuilder.aws/learn/lp/82/cloud-essentials-learning-plan">Cloud Essential Learning Plan</a></li>
<li><a class="reference external" href="https://explore.skillbuilder.aws/learn/course/11458/aws-cloud-quest-cloud-practitioner">AWS Cloud Quest: Cloud Practitioner</a></li>
<li><a class="reference external" href="https://explore.skillbuilder.aws/learn/course/9449/exam-prep-aws-certified-cloud-practitioner">Exam Prep: AWS Certified Cloud Practitioner</a></li>
<li><a class="reference external" href="https://explore.skillbuilder.aws/learn/course/12483/aws-certified-cloud-practitioner-official-practice-question-set-clf-c01-english">AWS Certified Cloud Practitioner Official Practice Question Set (CLF-01 - English)</a></li>
</ul>
<p>Compared to the <a class="reference external" href="https://dominik.wombacher.cc/posts/microsoft-certified-azure-fundamentals.html">Azure Fundamentals</a> some deeper understanding about technical aspects was required to pass the Exam. So it's in my opinion definitely worth it and a good starting point, makes further studying for an Associate Certification definitely easier.</p>
<p><strong>Summary</strong>: Earners of this certification have a fundamental understanding of IT services and their uses in the AWS Cloud. They demonstrated cloud fluency and foundational AWS knowledge. Badge owners are able to identify essential AWS services necessary to set up AWS-focused projects.</p>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
<div class="section" id="skills">
<h2>Skills</h2>
<ul class="simple">
<li>Amazon Web Services</li>
<li>AWS</li>
<li>AWS Certification</li>
<li>AWS Cloud</li>
<li>Cloud Certification</li>
<li>Cloud Computing</li>
<li>Cloud Platform</li>
<li>Cloud Services</li>
</ul>
<p>Source & Copyright: <a class="reference external" href="https://www.credly.com">https://www.credly.com</a></p>
</div>
<div class="section" id="certificate">
<h2>Certificate</h2>
<ul class="simple">
<li>Downloads<ul>
<li><a class="reference external" href="/certificates/Dominik_Wombacher_AWS_Certified_Cloud_Practitioner.pdf">Certificate (ID: F1M24VG2QJF41KKV)</a> (PDF, 45k)</li>
<li><a class="reference external" href="/certificates/aws-certified-cloud-practitioner.png">Badge</a> (PNG, 79K)</li>
</ul>
</li>
<li>Links<ul>
<li><a class="reference external" href="https://www.credly.com/badges/b1a12cb5-70e8-4578-a26d-8e506a08c294">Credly Badge</a>
(Archive: <a class="reference external" href="https://web.archive.org/web/20221223063858/https://www.credly.com/badges/f3a96b64-9d32-41f7-b96a-36eb68099ac9">[1]</a>,
<a class="reference external" href="https://archive.today/2022.12.23-063921/https://www.credly.com/badges/f3a96b64-9d32-41f7-b96a-36eb68099ac9">[2]</a>)</li>
</ul>
</li>
</ul>
</div>