"Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials."
-- AWS Documentation
A POC for running an "application" on AWS EC2 while consuming (reading) secrets from AWS secrets manager (SM) using IAM Roles instead of creds distribution
- A secret generated and tracked in SM
- IAM Role for EC2 - with a policy to read secrets from SM
- An EC2 instance with an assosicated IAM Role
- Consumer container ("application")- running in the EC2 instance which consumes the secret
To run pre-commit locally, follow the instructions:
pip install --user pre-commit
pre-commit installRenovate takes care of it
- AWS credentials settings, profile default
makepodmanordocker
make initmake reconfiguremake upmake downYou can create your DEV environment from local. The DEV environment shall incude a CRC-Cloud (=openshift local), in which our consumer container will be running at.
Note: You can find more details of the CRC-Cloud repo here
- Register a Red Hat account and get a pull secret from here
- The location of the pull-secret.txt file is defined under PULL_SECRET_ABS_PATH environment variable. MAKE SURE TO ADD THIS VARIABLE under your environment variables according to where you have located it.
- Make sure you have configured the aws credentials file properly.
The file is located at
~/.aws/credentials - Make sure you have the id_ecdsa file. Locate it under the main directory of this repo. You can find it here
MAKE SURE you have torn-down an already-existing environment before creating a new one.
You will have to manually delete the resources in aws otherwise.
In order to create such a DEV environment, you will need to run the following make command:
make dev-upIf the command worked properly, you should be seeing a few new files under your current directory:
- host
- id_rsa
- username
- password
- pull-secret.txt
In order for you to access the cluster, enter the following url
https://console-openshift-console.apps.**IP-FROM-HOST-FILE**.nip.io
You can then access the cluster as "kubeadmin" or "developer" user.
The password for both users is found under the password file.
WARNING: if you delete the working directory CRC-Cloud won't be able to teardown the cluster so be extremely careful with the workspace folder content.
In order to teardown the DEV environment, you will need to run the following make command:
make dev-downThe command will delete all your aws resources, and remove the crc-cloud container.