|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +//* observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="distr-tracing-tempo-object-storage-setup-aws-sts-install_{context}"] |
| 7 | += Setting up the Amazon S3 storage with the Security Token Service |
| 8 | + |
| 9 | +You can set up the Amazon S3 storage with the Security Token Service (STS) by using the AWS Command Line Interface (AWS CLI). |
| 10 | + |
| 11 | +:FeatureName: The Amazon S3 storage with the Security Token Service |
| 12 | +include::snippets/technology-preview.adoc[leveloffset=+1] |
| 13 | + |
| 14 | +.Prerequisites |
| 15 | + |
| 16 | +* You have installed the latest version of the AWS CLI. |
| 17 | +
|
| 18 | +.Procedure |
| 19 | + |
| 20 | +. Create an AWS S3 bucket. |
| 21 | + |
| 22 | +. Create the following `trust.json` file for the AWS IAM policy that will set up a trust relationship for the AWS IAM role, created in the next step, with the service account of the TempoStack instance: |
| 23 | ++ |
| 24 | +[source,yaml] |
| 25 | +---- |
| 26 | +{ |
| 27 | + "Version": "2012-10-17", |
| 28 | + "Statement": [ |
| 29 | + { |
| 30 | + "Effect": "Allow", |
| 31 | + "Principal": { |
| 32 | + "Federated": "arn:aws:iam::${<aws_account_id>}:oidc-provider/${<oidc_provider>}" # <1> |
| 33 | + }, |
| 34 | + "Action": "sts:AssumeRoleWithWebIdentity", |
| 35 | + "Condition": { |
| 36 | + "StringEquals": { |
| 37 | + "${OIDC_PROVIDER}:sub": [ |
| 38 | + "system:serviceaccount:${<openshift_project_for_tempostack>}:tempo-${<tempostack_cr_name>}" # <2> |
| 39 | + "system:serviceaccount:${<openshift_project_for_tempostack>}:tempo-${<tempostack_cr_name>}-query-frontend" |
| 40 | + ] |
| 41 | + } |
| 42 | + } |
| 43 | + } |
| 44 | + ] |
| 45 | +} |
| 46 | +---- |
| 47 | +<1> OIDC provider that you have configured on the {product-title}. You can get the configured OIDC provider value also by running the following command: `$ oc get authentication cluster -o json | jq -r '.spec.serviceAccountIssuer' | sed 's~http[s]*://~~g'`. |
| 48 | +<2> Namespace in which you intend to create the TempoStack instance. |
| 49 | + |
| 50 | +. Create an AWS IAM role by attaching the `trust.json` policy file that you created: |
| 51 | ++ |
| 52 | +[source,terminal] |
| 53 | +---- |
| 54 | +$ aws iam create-role \ |
| 55 | + --role-name "tempo-s3-access" \ |
| 56 | + --assume-role-policy-document "file:///tmp/trust.json" \ |
| 57 | + --query Role.Arn \ |
| 58 | + --output text |
| 59 | +---- |
| 60 | + |
| 61 | +. Attach an AWS IAM policy to the created role: |
| 62 | ++ |
| 63 | +[source,terminal] |
| 64 | +---- |
| 65 | +$ aws iam attach-role-policy \ |
| 66 | + --role-name "tempo-s3-access" \ |
| 67 | + --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" |
| 68 | +---- |
| 69 | + |
| 70 | +. In the {product-title}, create an object storage secret with keys as follows: |
| 71 | ++ |
| 72 | +[source,yaml] |
| 73 | +---- |
| 74 | +apiVersion: v1 |
| 75 | +kind: Secret |
| 76 | +metadata: |
| 77 | + name: minio-test |
| 78 | +stringData: |
| 79 | + bucket: <s3_bucket_name> |
| 80 | + region: <s3_region> |
| 81 | + role_arn: <s3_role_arn> |
| 82 | +type: Opaque |
| 83 | +---- |
0 commit comments