-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use an AWS IAM Role / User to fetch kubernetes credentials in our deployer #381
Comments
Definitely! Checking in the static kubeconfig file, even when it is a quick way to do it and I think is OK for now for fast iteration, is somehow ringing 🔔 in my head 😉 . |
The exported kubeconfig was generated as --admin=730h (we should handle this expiration with #381 and before the deadline ;-) and encrypted in-place using sops.
- Requested by Joe in 2i2c-org#291 (comment) - Refresh auth credentials, they had expired. Fixed in 2i2c-org#381
Previous set of credentials have expired. We should fix this - 2i2c-org#381
Created a new user: Added the user to the 2i2c-engineers group Checked if the user was added to the group Got the credentials: |
We identified a 2i2c-engineers groups in Farallon AWS and we have created a deployer user under that group. We used common awscli commands to perform this task and retrieve the credentials. More details in [1]. Finally, we encrypted the file with sops accordingly with the current established workflows to manage secret files. [1] #381 (comment)
So, we now have a PR for this one 😉 , #673. |
Background
For AWS, we've checked in a static version of kubeconfig exported by kops, with a 30d lifetime. Instead, we should create an AWS IAM Role with just enough permissions to run
KUBECONFIG=secrets/farallon.yaml kops export kubecfg --admin=30m farallon-2i2c.k8s.local
, and use that instead.Expected timeline
The credentials for farallon in #379 last 30days, so this is a ticking time bomb :D
Steps to complete this goal
The text was updated successfully, but these errors were encountered: