Cloud Platform service pod for AWS CLI access

The Cloud Platform team provide a “service pod” module to help users run maintenance tasks against namespace resources using the AWS CLI.

You need to have complete step 1 (configuring IRSA) in Accessing AWS APIs and resources from your namespace to use the service pod module.

Once you’ve done that, you can create and use the service pod by completing the following three steps:

Raise and merge a PR that configures cloud-platform-terraform-service-pod in your namespace:

# irsa configuration is required to use the service pod
module "irsa" {
  ...
  role_policy_arns = {
  ...
  # Here you must provide the policy arn(s) for the AWS resources you want to access via the service pod
  s3  = module.s3.irsa_policy_arn
  rds = module.rds.irsa_policy_arn
...
}
}

# set up the service pod
module "service_pod" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-service-pod?ref=1.0.0" # use the latest release

  # Configuration
  namespace            = var.namespace
  service_account_name = module.irsa.service_account.name # this uses the service account name from the irsa module
}

As soon as this PR is merged, a service pod will be created for you to use.

Get your namespace pods

You will need the name of your service pod to exec into it. You can get the name of the pod by running the following:

$ kubectl get pods -n $namespace

NAME                                                           READY   STATUS    RESTARTS   AGE
cloud-platform-6c6eb7ed1fd678e4-service-pod-598dcf5c57-sm7mb   1/1     Running   0          10m
# ^ this one!

The pod name you need is the one with “service-pod” in it.

exec into the container and check AWS CLI works

Once you have the service pod’s name, you can run the following command in your Terminal to exec into the container:
```
$ kubectl exec -n $namespace --stdin --tty $pod_name -- /bin/sh
```
Once you’re into the container, run the following and check the output to check the AWS CLI works:
```
$ aws sts get-caller-identity

{
  "UserId": "AROAEXAMPLE:botocore-session-00000000",
  "Account": "000000000000",
  "Arn": "arn:aws:sts::000000000000:assumed-role/..."
}
```
You can then run AWS CLI commands against AWS resources.

Using the filesystem in the service pod

The filesystem of the service pod is locked down to follow security best practice.

If you’re using the service pod and need to interact with the filesystem, you should use the /tmp directory to store your files.

For example, if you’re using the AWS CLI to get an object from an S3 bucket, set the output directory to /tmp:

aws s3api get-object --bucket $bucketName --key $fileKey /tmp/$outputFile

Terminating or scaling down the service pod(s)

Some teams may want to terminate the service pod when it is not in use. To terminate the service pod you can either:

Remove the service pod resource from code then raisng a PR. You will need to raise another PR in the future to reinstate the service pod

or
Scale down the service pod deployment to 0 by running the following command: sh kubectl scale -n <namespace> --replicas=0 deployment/cloud-platform-xxxxxxxx-service-pod By scaling the service-pod deployment, you now have the option to scale it back up at anytime by running the above command with --replicas=1.

This page was last reviewed on 30 August 2024. It needs to be reviewed again on 28 February 2025 by the page owner #cloud-platform .

This page was set to be reviewed before 28 February 2025 by the page owner #cloud-platform. This might mean the content is out of date.