Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

Installation with S3 Storage and IAM Authentication

To use S3 as storage, the steps are as follows:

1. Configure IAM role

Configure IAM role with the following permissions:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
    ],
    "Resource": "arn:aws:s3:::<BUCKET>"
  },
  {
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:PutObject"
    ],
    "Resource": "arn:aws:s3:::<BUCKET>/*"
  }
]
}

2. Establish Trust Relationship

A Trust Relationship needs to be established in the IAM role to allow the Testkube API's ServiceAccount to assume it:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/<CLUSTER_ID>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/<CLUSTER_ID>:sub": [
              "system:serviceaccount:testkube-enterprise:testkube-enterprise-api",
              "system:serviceaccount:testkube-enterprise:testkube-worker-service"
          ]
        }
      }
    }
  ]
}

This will grant the Testkube API’s and Worker Service Accounts (testkube-enterprise-api and testkube-worker-service Service Account in the namespace testkube-enterprise) to assume the created Role which grants access to AWS S3.

3. Configure for AWS S3

The following configuration should be provided to the testkube-enterprise Helm chart to configure the Testkube API and Worker service to use AWS S3 for storage:

global:
  storage:
    endpoint: s3.amazonaws.com
    region: <AWS_REGION>
    outputsBucket: <BUCKET>
    secure: true
    accessKeyId: ""
    secretAccessKey: ""
    
testkube-cloud-api:
  serviceAccount:
    create: true
    name: testkube-enterprise-api
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

testkube-worker-service:
  serviceAccount:
  create: true
  name: testkube-worker-service
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

minio:
  enabled: false

You may also provide your own Service Account and in that case testkube-cloud-api.serviceAccount.create should be set to false and testkube-cloud-api.serviceAccount.name should be set to the name of the external Service Account.

note

accessKeyId and secretAccessKey must be set to "" in order auth to be defaulted to IAM-based.