Managing User Identities for JupyterHub on AWS EKS with IAM User Login Profiles

Question

Pulumi · Accepted Answer

To manage user identities for JupyterHub on an AWS Elastic Kubernetes Service (EKS) cluster, you would typically have a few key components:

1. **EKS Cluster**: The Kubernetes cluster running on AWS.
2. **IAM User**: AWS identity with permissions to interact with your infrastructure.
3. **IAM User Login Profile**: An IAM login profile for a user that allows IAM user authentication.

Let's break down the steps needed to set up these resources using Pulumi:

1. **Create an EKS Cluster**: Use the `aws.eks.Cluster` resource to provision a new EKS cluster.
2. **Create an IAM User**: Use the `aws.iam.User` resource to create a new IAM user.
3. **Create an IAM User Login Profile**: The `aws.iam.UserLoginProfile` resource creates a login profile for IAM user authentication.

Below is an example Pulumi program written in Python that demonstrates how to accomplish these tasks:

```python
import pulumi
import pulumi_aws as aws

# Create an AWS EKS Cluster.
# For more information, visit: https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/
eks_cluster = aws.eks.Cluster("my-cluster",
    role_arn=my_cluster_role_arn,  # ARN of IAM role to attach to EKS cluster
    vpc_config=aws.eks.ClusterVpcConfigArgs(  # VPC configuration
        public_access_cidrs=["0.0.0.0/0"],
        security_group_ids=[my_security_group_id],  # Security group IDs
        subnet_ids=my_subnet_ids,  # Subnet IDs
    ))

# Create an IAM user for JupyterHub.
# For more information, visit: https://www.pulumi.com/registry/packages/aws/api-docs/iam/user/
jupyter_user = aws.iam.User("jupyter-user",
                            tags={"Purpose": "JupyterHubEKSUser"})

# Create a login profile for the IAM user to allow password-based authentication.
# For more information, visit: https://www.pulumi.com/registry/packages/aws/api-docs/iam/userloginprofile/
jupyter_user_login_profile = aws.iam.UserLoginProfile("jupyter-user-lp",
                                                      user=jupyter_user.name,
                                                      password_reset_required=True,
                                                      password=pulumi.Config("jupyterUserPassword").require_secret())  # Password retrieved from Pulumi configuration.

# Pulumi export: Output the necessary attributes.
pulumi.export("eks_cluster_name", eks_cluster.name)
pulumi.export("jupyter_user_name", jupyter_user.name)
pulumi.export("jupyter_user_login_profile", jupyter_user_login_profile.arn)
```

You'll need to supply a few variables like the `my_cluster_role_arn`, `my_security_group_id`, and `my_subnet_ids`, which you'll have from setting up your VPC and creating the IAM role for your cluster.

**Security Note**: It's important for security reasons not to hardcode passwords or sensitive data in your Pulumi program. Instead, use Pulumi Config to securely manage this data.

To run this program:

1. Install Pulumi and set up your AWS credentials.
2. Create a new Pulumi project using `pulumi new aws-python`.
3. Replace the contents of `__main__.py` with the code provided above.
4. Set the configuration secret for the user password using the Pulumi CLI: `pulumi config set --secret jupyterUserPassword [password_here]`.
5. Run `pulumi up` to preview and deploy your infrastructure.

With the resources set up using this program, you can then configure JupyterHub to integrate with AWS EKS using these AWS IAM identities.