Reputation: 2166
Getting AWS Credentials as configured on POD
Context:
We are using AWS SM for storing secrets
AWS Credentials were loaded from EC2 instance as below
public AWSSecretsManager getDefaultSecretsManagerClient(String region) { return AWSSecretsManagerClientBuilder.standard() .withCredentials(new InstanceProfileCredentialsProvider(false)) // <== Loads credentials from EC2 instance .withRegion(region) .build(); }
Current: We are planning to move to Amazon EKS. While running the container the AWS credentials were picked from EC2 instance rather than POD. Can someone please guide me on which credential provider to use here so that AWS creds gets picked up from POD rather than the underlying EC2 instance?
Upvotes: 1
Views: 1442
Answers (1)
Reputation: 1623
You might look at useing IAM Roles for Service Accounts (IRSA) to associate an IAM role with the K8s service account used for the POD. Once you setup IRSA it will behave much like roles for EC2, though you will likely want to use DefaultAWSCredentialsProviderChain.getInstance() instead of InstanceProfileCredentialsProvider to retrieve the credentials.
You can also use the secrets-store-csi-driver-provider-aws plugin to the CSI secret store driver to retrieve secrets from secrets manager (also using IRSA) as mounted files or etcd secrets. Note that the README for this project also has simplified instructions for setting up IRSA.
Upvotes: 1
Related Questions
- Get authentication token from AWS EKS using the AWS Java SDK v2
- Env variable from AWS Secrets Manager in Kubernetes
- Create an AWS credentials file in a Kubernetes pod
- Setting up AWS EKS - Don't know username and password for config
- use AWS Secrets & Configuration Provider for EKS: Error from server (BadRequest)
- AWS EKS enable basic auth
- Retrieve EKS Secret Using A Pod With Jupyterlab
- Pod does not see secrets
- Pod on Fargate from EKS does not have access to AWS default credentials
- How do I provide AWS credentials to Kubernetes?