Prerequisites

Ensure the following prerequisites are met:

1. Tools:

   • helm and kubectl are installed and configured with access Protegrity Provisioned Cluster (PPC).
   • pipis installed in the Python Virtual Environment.

2. AWS Setup:

   • A Protegrity Provisioned Cluster (PPC) is available.
     For more information about PPC, refer to Protegrity Provisioned Cluster.
   • An AWS account with CLI credentials for configuring AWS is available.
   • An existing VPC with at least two private subnets is available.
   • An S3 bucket for storing anonymization artifacts is available and must exist before installation. The S3 bucket should not be KMS encrypted. The bucket must use default SSE-S3 encryption or no encryption.
   • An IAM role (for example, arn:aws:iam::<Account_ID>:role/<Role_Name>) with the required S3 permissions (s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject) must exist before installation.
   • Sufficient permissions to create namespaces, deployments, secrets, and services.
   • Ensure that the jumpbox can connect to the required repositories. If not already authenticated, then log in to the required repository.

• For connecting and deploying from the Protegrity Container Registry (PCR), use the following command and the credentials obtained from the My.Protegrity portal during account creation:

helm registry login registry.protegrity.com:9443

• For connecting and deploying to the local repository, use your local credentials and local repository endpoint as required.

3. IRSA and OIDC Configurations:

   • AWS Bootstrap access to create IRSA and OIDC configurations is included in the Helm package.

     Note: It is recommended to execute the OIDC setup once with assistance from IT, as it requires elevated AWS permissions.
     The following AWS permissions are required to perform the OIDC Setup.
     iam:CreateOpenIDConnectProvider, iam:ListOpenIDConnectProviders,iam:DeleteOpenIDConnectProvider,eks:DescribeCluster,iam:GetRole, iam:UpdateAssumeRolePolicy, sts:GetCallerIdentity, iam:GetPolicy,iam:CreatePolicy,iam:ListAttachedRolePolicies,iam:AttachRolePolicy

   • Sample Roles and Permissions JSON

       {
         "Version": "2012-10-17",
         "Statement": [
           {
             "Sid": "EKSDescribeCluster",
             "Effect": "Allow",
             "Action": "eks:DescribeCluster",
             "Resource": "arn:aws:eks:<REGION>:<ACCOUNT_ID>:cluster/<CLUSTER_NAME>"
           },
           {
             "Sid": "OIDCProviderList",
             "Effect": "Allow",
             "Action": "iam:ListOpenIDConnectProviders",
             "Resource": "*"
           },
           {
             "Sid": "OIDCProviderCreate",
             "Effect": "Allow",
             "Action": "iam:CreateOpenIDConnectProvider",
             "Resource": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/*"
           },
           {
             "Sid": "IAMRoleManagement",
             "Effect": "Allow",
             "Action": [
               "iam:GetRole",
               "iam:UpdateAssumeRolePolicy",
               "iam:ListAttachedRolePolicies",
               "iam:AttachRolePolicy"
             ],
             "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
           },
           {
             "Sid": "IAMPolicyManagement",
             "Effect": "Allow",
             "Action": [
               "iam:GetPolicy",
               "iam:CreatePolicy"
             ],
             "Resource": "arn:aws:iam::<ACCOUNT_ID>:policy/<IAM_ROLE_NAME>_<S3_BUCKET_NAME>_<NAMESPACE>_S3Policy"
           },
           {
             "Sid": "STSIdentity",
             "Effect": "Allow",
             "Action": "sts:GetCallerIdentity",
             "Resource": "*"
           }
         ]
       }