kubecost / cloudformation Goto Github PK

Here:

From kubecost/docs#36

The CFN templated provided here doesn't work for us.

It failed and returned:

The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_- (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: 5a7f79d8-b788-432e-bdb9-e2a776e48312; Proxy: null)

Hi,

I am a bit confused at Step 3 in this page https://guide.kubecost.com/hc/en-us/articles/4407595928087-AWS-Cloud-Integration

i'm at
My kubernetes clusters all run in the same account as the master payer account.
Download this file: https://raw.githubusercontent.com/kubecost/cloudformation/master/kubecost-single-account-permissions.yaml
...

the webpage says

Set the following parameters:

AthenaCURBucket: The bucket where the CUR is sent from the “Setting up the CUR” step
SpotDataFeedBucketName: Optional. The bucket where the spot data feed is sent from the “Setting up the Spot Data feed” step (see below)

while the actual yaml is

Parameters:
  AthenaCURBucket:
    Description: The bucket that athena results are written to
    Type: String
  SpotDataFeedBucketName:
    Description: Optional. The AWS account ID containing the cluster with kubecost.
    Type: String

so which bucket do i specify for AthenaCURBucket?
the one from Step 1: Setting up the CUR
or one from Step 2: Setting up Athena (aws-athena-query-results-*)

Many of the descriptions have smart quotes in them, like this:

Description: The bucket where the CUR is sent from the “Setting up the CUR” step.

• https://github.com/kubecost/cloudformation/blob/master/kubecost-masterpayer-account-permissions.yaml#L8C5-L8C86

Although this can be applied, those are converted to question marks (?), and tools like Terraform will see these as constantly being out of sync. Instead, they should be replaced with normal ASCII single (') or double quotes ("), like this:

Description: 'The bucket where the CUR is sent from the "Setting up the CUR" step.'

This was already noticed and fixed in #14 among the other changes that were in that PR.

Report from user (Tristan):

https://github.com/kubecost/cloudformation/blob/master/kubecost-sub-account-permissions.yaml#L41-L42 is missing a PolicyName value and throws an error on installation.

Here is missing a !Sub:

This can be a security issue because all roles of the child account can access the CUR data in this way.

The safest solution is to restrict only to the role created here: https://github.com/kubecost/cloudformation/blob/master/kubecost-sub-account-permissions.yaml#L18

Hello,

I tried to use the kubecost-single-account-permissions Cloudformation template but i had an issue resulting in a 403 in Kubecost due to wrong IAM permissions

Cloudformation does not replace AthenaCURBucket to the wanted target. Here is the result in the IAM policy :

        {
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::${AthenaCURBucket}*"
            ],
            "Effect": "Allow",
            "Sid": "S3ReadAccessToAwsBillingData"
        }

It works by replacing this part to the following syntax

        - Sid: S3ReadAccessToAwsBillingData
          Effect: Allow
          Action:
          - s3:Get*
          - s3:List*
          Resource:
            'Fn::Join':
              - ''
              - - 'arn:aws:s3:::'
                - !Ref AthenaCURBucket
                - "*"

Best regards

Here: