AWS Marketplace configuration
Sextant for Sawtooth itself runs under the default service account. However, since it is an AWS Marketplace metered product, certain IAM privileges need to be assigned to this service account for it to operate correctly.
NOTE it is only necessary to configure your cluster once.
Step 1
Make sure that your cluster is associated to OIDC ID provider (IdP) in AWS. If you have not already done this, it may be accomplished via the following command:
eksctl utils associate-iam-oidc-provider \
--cluster <CLUSTER_NAME> \
--region <REGION_NAME> \
--approve
NOTE if this command fails try --name (now deprecated) in place of --cluster or update your version of eksctl.
Step 2
Make sure that your cluster's default service account is allowed to set up metered products. If you have not already done this, it may be accomplished via the following commands.
First check to see whether you have already created the marketplace-register-usage policy. For example, if you have previous installed Sextant for DAML on another cluster using the same AWS credentials this policy should already exist.
aws iam list-policies | grep marketplace-register-usage
If this is successful, note the ARN of the policy and go to Step 3. Otherwise create a file called policy or similar containing the following text:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-marketplace:RegisterUsage"
],
"Resource": "*"
}
]
}
Then create the marketplace-register-usage policy via the following command and note its ARN:
aws iam create-policy --policy-name "marketplace-register-usage" --policy-document file://policy
Step 3
Now we need to attach this policy to the default service account using eksctl.
eksctl create iamserviceaccount --cluster=<CLUSTER_NAME> --region=<REGION_NAME> --name=default --namespace=default \
--attach-policy-arn=<POLICY_ARN> \
--override-existing-serviceaccounts \
--approve
NOTE You may specify --attach-policy-arn as many times as necessary to attach any other permissions you require.