Quick Access:
Please ensure you have completed all necessary prerequisite steps before moving onto the Workflow Section below.
All required prerequisites steps can be found in this section.
Please utilise the Glossary for any terms or acronyms found in this documentation which you may find unclear.
First, an AccountPool must be created to specify the number of desired accounts to be ready. The operator then goes and creates the requested number of accounts.
When a Hive cluster has a new cluster request, an AccountClaim is created with the name equal to the desired name of the cluster in a unique workspace.
The operator links the AccountClaim to an Account CR in the pool, and creates the required k8s secrets, placing them in the AccountClaim's unique namespace.
The AccountPool is then filled up again by the operator. Hive then uses the secrets to create the AWS resources for the new cluster.
For more information on how this process is done, please refer to the Custom Resources and Controllers page.
The commands below can be used to test Payer Account credentials where we create new accounts inside the Payer Accounts organization.
Once the account is created in the first step, we wait until the account is created with step 2 and retrieve its account ID.
Using the account ID we can then test our IAM user has sts:AssumeRole permissions to Assume the OrganizationAccountAccessRole in the new account.
The OrganizationAccountAccessRole is created automatically when a new account is created under the organization.
aws organizations create-account --email "username+cli-test@redhat.com" --account-name "username-cli-test" --profile=orgtest
aws organizations list-accounts --profile=orgtest | jq '.[][] | select(.Name=="username-cli-test")'
aws sts assume-role --role-arn arn:aws:iam::<ID>:role/OrganizationAccountAccessRole --role-session-name username-cli-test --profile=orgtest