Enabling bring your own key (BYOK) with KMS in OSD and ROSA
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
Prerequisites
- AWS account that meets the requirements for a Customer Cloud Subscription (CCS) cluster.
- AWS Key Management Service (KMS) policy that grants the IAM master role access to the KMS key.
Procedure
To use your own encryption key to encrypt the Amazon Elastic Block Store (EBS) volumes used by your cluster, you must configure the default EBS KMS key. Use AWS to set up your customer master key in the region where you are provisioning your cluster.
- Create a new KMS key (adjusting the TagKey, TagValue, and description as needed):
- Update the default KMS key used by Amazon Elastic Compute Cloud (EC2) for encrypting EBS volumes. This default is set per region, so be sure to update it in the region where you are provisioning your cluster:
- Provision your cluster.
After the cluster is installed, the prometheus and alertmanager PVCs will be in a pending state. - Grant access to the KMS key in the KMS policy.
You must use a KMS policy that allows the relevant master role access to your customer master key.
By default, the KMS policy only lists the account's root user as a principal. You must update the KMS policy to allow the master role access for the account's root user.
Note: Because the master role's name is generated at install time, the update to the KMS policy must be completed after cluster installation.
The master_role_name can be found in your AWS console under IAM roles and contains this format:
<cluster_name>-<generated-string>-master-role
Here is an example of the generated role name:clustername-abcd-efgh-123-ij4k5-master-role{ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::112233445566:root", "arn:aws:iam::112233445566:role/" ] }, "Action": "kms:*", "Resource": "*" } ] } - You can add an additional policy statement to this KMS policy that grants only the necessary KMS actions to the master role.
aws kms create-key --tags TagKey=Purpose,TagValue=Test --description "My new KMS Key"aws ec2 modify-ebs-default-kms-key-id --kms-key-id $KMS_KEY_AR --region <region_name>The KMS key should now be available to the master role.
Once the KMS policy has been updated, the prometheus PVCs are created automatically using the specified KMS key for encryption.
Additional Resources:
See Amazon web services: modify-ebs-default-kms-key-id, for details about changing the default customer master key (CMK) for EBS encryption for your account in a region.
Comments