Skip to content

How do I set up AWS nanitor-readonly-user and roles for Nanitor?

In order to scan Docker images on AWS, Nanitor needs to be able to collect from EKS and read from ECR.

First, set up some environment variables to make it easier to script installation. Change the variables to suit your environment. 

export AWS_PROFILE="root"
export AWS_ACCOUNT="153144908176"
export AWS_REGION="us-east-1"
export KUBE_CONFIG_EKS_ROOT="/home/user/.kube/eks-root.yaml"
export KUBE_CLUSTER_NAME="NANITOR_CLUSTER"

Download the default nanitor-readonly-policy from https://nanitor.io/files/aws-documents/nanitor-read-only-policy.json. Edit it as required and then put it in /tmp/nanitor-read-only-policy.json and then add it to your AWS using the CLI tools.

curl -o /tmp/nanitor-read-only-policy.json https://nanitor.io/files/aws-documents/nanitor-read-only-policy.json
aws iam create-policy --profile $AWS_PROFILE --policy-name nanitor-readonly-policy --policy-document https://nanitor.io/files/aws-documents/nanitor-read-only-policy.json

From that response, save the ARN for referencing the policy.

aws iam create-user --profile $AWS_PROFILE --user-name=nanitor-readonly-user

Then use the ARN for referencing the new user.

aws iam attach-user-policy --profile $AWS_PROFILE --user-name=nanitor-readonly-user --policy-arn=arn:aws:iam::$AWS_ACCOUNT:policy/nanitor-readonly-policy
aws iam create-access-key --profile $AWS_PROFILE --user-name nanitor-readonly-user

Save the response and add it to ~/.aws/credentials (on the system running these commands and also on the Nanitor collector device):

[nanitor-readonly-user]
aws_secret_access_key = FROMRESPONSE
aws_access_key_id = FROMRESPONSE

Now we need to map the AWS nanitor-readonly-user to a kubernetes user. As a Kubernetes user with full privileges, we need to use kubectl to map the AWS nanitor-readonly-user to a Kubernetes user.

kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT -n kube-system get configmap aws-auth -o yaml  > aws-auth.yaml

Edit aws-auth.yaml and add a section for mapUsers, similarly to this:

mapUsers:
  - userarn: arn:aws:iam::$AWS_ACCOUNT:user/nanitor-readonly-user
    username: nanitor-readonly-user

Update the AWS auth binding.

kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT apply -f aws-auth.yaml

Create a cluster role nanitor-readonly-role and bind nanitor-readonly-user to it.

kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT apply -f https://nanitor.io/files/aws-documents/kube/nanitor-readonly-user-role.yaml
kubectl --kubeconfig=$KUBE_CONFIG_EKS_ROOT apply -f https://nanitor.io/files/aws-documents/kube/nanitor-readonly-user-role-binding.yaml

Create kube config and copy it to the Nanitor collector.

Make sure you have put the nanitor-readonly-user into ~/.aws/credentials on this system you are running these commands on.

aws eks --profile nanitor-readonly-user --region $AWS_REGION update-kubeconfig --name $KUBE_CLUSTER_NAME --kubeconfig=/tmp/kube-nanitor-readonly-user.yaml