Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

Installation with S3 Storage and IAM Authentication

To use S3 as storage, the steps are as follows:

1. Configure IAM role

Configure IAM role with the following permissions:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<BUCKET>"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<BUCKET>/*"
}
]
}

2. Establish Trust Relationship

A Trust Relationship needs to be established in the IAM role to allow the Testkube API's ServiceAccount to assume it:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/<CLUSTER_ID>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/<CLUSTER_ID>:sub": [
"system:serviceaccount:testkube-enterprise:testkube-enterprise-api",
"system:serviceaccount:testkube-enterprise:testkube-worker-service"
]
}
}
}
]
}

This will grant the Testkube API’s and Worker Service Accounts (testkube-enterprise-api and testkube-worker-service Service Account in the namespace testkube-enterprise) to assume the created Role which grants access to AWS S3.

3. Configure for AWS S3

The following configuration should be provided to the testkube-enterprise Helm chart to configure the Testkube API and Worker service to use AWS S3 for storage:

global:
storage:
endpoint: s3.amazonaws.com
region: <AWS_REGION>
outputsBucket: <BUCKET>
secure: true
accessKeyId: ""
secretAccessKey: ""

testkube-cloud-api:
serviceAccount:
create: true
name: testkube-enterprise-api
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

testkube-worker-service:
serviceAccount:
create: true
name: testkube-worker-service
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>

minio:
enabled: false

You may also provide your own Service Account and in that case testkube-cloud-api.serviceAccount.create should be set to false and testkube-cloud-api.serviceAccount.name should be set to the name of the external Service Account.

note

accessKeyId and secretAccessKey must be set to "" in order auth to be defaulted to IAM-based.