kubecost / cloudformation Goto Github PK
View Code? Open in Web Editor NEWTemplates to help set up kubecost permissions in AWS
Templates to help set up kubecost permissions in AWS
Hello,
I tried to use the kubecost-single-account-permissions Cloudformation template but i had an issue resulting in a 403 in Kubecost due to wrong IAM permissions
Cloudformation does not replace AthenaCURBucket to the wanted target. Here is the result in the IAM policy :
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::${AthenaCURBucket}*"
],
"Effect": "Allow",
"Sid": "S3ReadAccessToAwsBillingData"
}
It works by replacing this part to the following syntax
- Sid: S3ReadAccessToAwsBillingData
Effect: Allow
Action:
- s3:Get*
- s3:List*
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- !Ref AthenaCURBucket
- "*"
Best regards
Here:
From kubecost/docs#36
The CFN templated provided here doesn't work for us.
It failed and returned:
The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_- (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: 5a7f79d8-b788-432e-bdb9-e2a776e48312; Proxy: null)
Hi,
I am a bit confused at Step 3 in this page https://guide.kubecost.com/hc/en-us/articles/4407595928087-AWS-Cloud-Integration
i'm at
My kubernetes clusters all run in the same account as the master payer account.
Download this file: https://raw.githubusercontent.com/kubecost/cloudformation/master/kubecost-single-account-permissions.yaml
...
the webpage says
Set the following parameters:
AthenaCURBucket: The bucket where the CUR is sent from the “Setting up the CUR” step
SpotDataFeedBucketName: Optional. The bucket where the spot data feed is sent from the “Setting up the Spot Data feed” step (see below)
while the actual yaml is
Parameters:
AthenaCURBucket:
Description: The bucket that athena results are written to
Type: String
SpotDataFeedBucketName:
Description: Optional. The AWS account ID containing the cluster with kubecost.
Type: String
so which bucket do i specify for AthenaCURBucket
?
the one from Step 1: Setting up the CUR
or one from Step 2: Setting up Athena (aws-athena-query-results-*
)
Here is missing a !Sub
:
Here:
This can be a security issue because all roles of the child account can access the CUR data in this way.
The safest solution is to restrict only to the role created here: https://github.com/kubecost/cloudformation/blob/master/kubecost-sub-account-permissions.yaml#L18
Many of the descriptions have smart quotes in them, like this:
Description: The bucket where the CUR is sent from the “Setting up the CUR” step.
Although this can be applied, those are converted to question marks (?
), and tools like Terraform will see these as constantly being out of sync. Instead, they should be replaced with normal ASCII single ('
) or double quotes ("
), like this:
Description: 'The bucket where the CUR is sent from the "Setting up the CUR" step.'
This was already noticed and fixed in #14 among the other changes that were in that PR.
Report from user (Tristan):
https://github.com/kubecost/cloudformation/blob/master/kubecost-sub-account-permissions.yaml#L41-L42 is missing a PolicyName value and throws an error on installation.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.