0

Can I put environment variables to aws credentials file and let aws configure recognize and parse the file? I have tried below. Look like the variable is not parsed by aws configure.

[default]
aws_access_key_id=${TEST_KEY_ID}
aws_secret_access_key=${TEST_SECRET_KEY}
[profile2]
aws_access_key_id=${TEST2_KEY_ID}
aws_secret_access_key=${TEST2_SECRET_KEY}

If I cannot, how can I create an AWS credentials file in a Kubernetes pod? I know we can generate a file using configMap. But I do not want to put key id and secret key in configMap directly since all Kubernetes code will be stored in git repository.

user389955
  • 9,605
  • 14
  • 56
  • 98

2 Answers2

2

I would suggest you create a new Kubernetes service account and then map it to a specific IAM role.

Reference: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

javierlga
  • 1,409
  • 9
  • 14
  • my Kubernetes pod is a Grafana in GCP. I create AWS credentials for grafana to get Cloudwatch data. Somehow the Grafana does not parse IAM role ARN. it only allow AWS credential way. – user389955 Jul 08 '22 at 19:56
  • Given that said, I'd suggest you use external-secrets, this way you can consume and store your secrets in Google Cloud secrets manager and then fetch them to your pods without exposing any sensitive data in your git repositories. Ref:https://external-secrets.io/v0.5.7/provider-google-secrets-manager/#google-cloud-secret-manager – javierlga Jul 08 '22 at 20:10
  • I did store the secret in 3rd party server and then parse it using API, but then how to create aws credential file in kubernetes? currently I call the API and store the credential results in environment variables TEST_KEY_ID and TEST_SECRET_KEY and use configMap to create the above file (see my post) but this file is not recognized by aws, look like I can only put the key id and secret key to the file directly, not using variables. that is why I ask how to handle this. Thanks – user389955 Jul 08 '22 at 20:15
  • If you have the file already in place, and your environment variables are set too, then you can use `sed` to replace the content of your file or just do an export of the AWS environment variables pointing to the content of your variable, for example: `export AWS_ACCESS_KEY_ID=$(echo $TEST_SECRET_KEY)`. This would need to be handled as part of your command or entrypoint. – javierlga Jul 08 '22 at 20:27
  • Thanks. I do not want to change the docker image by adding command or entrypoint. and besides, the aws credentials file will have several profiles (see my post, in which I have added one more profile as an example). whether using profile1 or default profile depends on what Grafana asks for. so cannot just set `export AWS_ACCESS_KEY_ID=$(echo $TEST_SECRET_KEY)` – user389955 Jul 08 '22 at 20:34
  • Upvoted: the question should mention this is apparently running on GCP, as it is posted this is the right answer, and using roles is **always** the preferred method. – nnsense May 13 '23 at 06:59
1

Yes, you can put environment variables into pod. Then, type commands:

aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID 
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set region $AWS_REGION
aws configure set output $AWS_OUTPUT

Files config will automatically be created in pods. You can refer to the yaml file here: https://hub.docker.com/repository/docker/cuongquocvn/aws-cli-kubectl

quoc9x
  • 1,423
  • 2
  • 9
  • 26
  • Thanks. I do not think I am allowed to add command or entrypoint. but other than that, your solution looks workable. Thanks. – user389955 Jul 13 '22 at 05:56