Enable EKS IRSA
AWS Elastic Kubernetes Service (EKS) IAM Roles for Service Accounts (IRSA) authentication can be used to allow SingleStore cluster pods to communicate with S3 buckets (data, backup and pipelines).
This applies to Operator deployments only and is supported for SingleStore Engine version >= 8.
The following steps enable IRSA:
-
Set the
enable_global variable toeks_ irsa ON. -
Create an IAM role with proper policies attached to choose which services the role can access and the scope of access for those services.
-
Create a Kubernetes service account with annotation using the IAM role arn.
apiVersion: v1 kind: ServiceAccount metadata: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<aws_account_id>:role/<role_name> name: <service_account_name> # Must be set to the name of the cluster -
Update the Memsql CR spec with the service account name from the step above.
apiVersion: v1alpha1 type: MemsqlCluster metadata: name: <name> # This is the name of the cluster spec: ... serviceAccountName: <service_account_name> backupSpec: credsMode: "eks_irsa" CloudServiceProvider: "AWS" bucketName: "<bucket_name>" s3Region: "<bucket_region; e.g. us-east-1>" -
Operator will restart the nodes and mount the JWT token to each node.
-
Update the SQL statements to use the hint
creds_mode: eks_ irsa -
Data:
CREATE LINK <db_name> AS S3 CREDENTIALS '{}' CONFIG '{"region":"us-east-1", "creds_mode":"eks_irsa"}' -
Pipelines:
CREATE PIPELINE <pipeline_name> AS LOAD DATA S3 'path' CONFIG '{"region": "us-east-1", "creds_mode": "eks_irsa"} -
Backup:
BACKUP DATABASE <db_name> TO S3 "<bucket_name/path>" CONFIG '{"region":"us-east-1", “creds_mode”: “eks_irsa”}' CREDENTIALS '{}'; -
Restore:
RESTORE DATABASE <db_name> FROM S3 'bucket_name/path' CONFIG '{"region":"us-east-1", "creds_mode":"eks_irsa"}' CREDENTIALS '{}';
-
Last modified: December 13, 2024