document some of the required AWS config

README.md

@@ -163,6 +163,26 @@ This requires the following:
 
 The CI jobs will create and delete AKS clusters in a Resource Group called `pinniped-ci` within the provided Subscription.
 
+## Configure AWS for CI to test on EKS
+
+There are several CI jobs which test that Pinniped works when installed on Amazon's EKS.
+For these jobs to run, they need to be able to create and delete ephemeral EKS clusters.
+There are also some jobs to cleanup any orphaned resources (e.g. IP addresses) in the AWS account.
+These jobs requires the following:
+
+1. An active AWS account, which will only be used for this purpose.
+2. Two IAM users in that account, each with a role that can be assumed.
+   These IAM users which should only be used for Pinniped CI and no other purpose.
+   They should only have permissions to perform AWS actions in the relevant AWS account, and no other account.
+3. The first user and role should have permission to create and delete EKS clusters using `eksctl`.
+   The permissions required can be found in the [eksctl docs](https://eksctl.io/usage/minimum-iam-policies).
+   The user also needs permission to run `aws logs put-retention-policy`, `aws ec2 describe-nat-gateways`,
+   and `aws ec2 delete-nat-gateway`.
+4. The second user and role should have broad permissions to get and delete everything in the account.
+   It will be used to run `aws-nuke` to list and/or clean resources from the AWS account.
+   To use `aws-nuke`, the user also needs to have an AWS account alias
+   (see the [cleanup-aws task](pipelines/shared-tasks/cleanup-aws/task.sh) for details).
+
 ## Setting Up Active Directory Test Environment
 
 To test the `ActiveDirectoryIdentityProvider` functionality, we have a long-running Active Directory Domain Controller

pipelines/shared-tasks/cleanup-aws/task.sh

@@ -92,4 +92,7 @@ set +o pipefail
 # continually send "tua-test1" to stdin to serve as a confirmation for aws-nuke.
 # this is done in a loop since aws-nuke uses a new buffered reader to consume
 # stdin each time it wants to accept input from the user.
+# Note that the AWS account being used to run this tool must have an AWS account
+# alias with this "tua-test1" name. See https://stackoverflow.com/a/54322848.
+# If you assign the account a different alias, then you need to change it here too.
 (while true; do echo tua-test1; sleep 1; done) | ${cmd}

pipelines/shared-tasks/deploy-eks-cluster/task.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -32,6 +32,8 @@ echo "$CLUSTER_NAME" > name
 # The kubeconfig file becomes the value of the lock in the pool.
 echo "Creating $CLUSTER_NAME in $AWS_DEFAULT_REGION..."
 
+# Note that the AWS account being used to run this command needs to have certain permissions.
+# See https://eksctl.io/usage/minimum-iam-policies/ for permissions.
 # See https://eksctl.io/usage/schema/ for documentation of this yaml.
 cat <<EOF | eksctl create cluster -f - --kubeconfig "$ADMIN_KUBECONFIG" --profile service-account
 apiVersion: eksctl.io/v1alpha5