Cloud Platform service pod for AWS CLI access
The Cloud Platform team provide a “service pod” module to help users run maintenance tasks against namespace resources using the AWS CLI.
You need to have complete step 1 (configuring IRSA) in Accessing AWS APIs and resources from your namespace to use the service pod module.
Once you’ve done that, you can create and use the service pod by completing the following three steps:
Raise and merge a PR that configures
cloud-platform-terraform-service-pod
in your namespace:# irsa configuration is required to use the service pod module "irsa" { ... role_policy_arns = { ... # Here you must provide the policy arn(s) for the AWS resources you want to access via the service pod s3 = module.s3.irsa_policy_arn rds = module.rds.irsa_policy_arn ... } } # set up the service pod module "service_pod" { source = "github.com/ministryofjustice/cloud-platform-terraform-service-pod?ref=1.0.0" # use the latest release # Configuration namespace = var.namespace service_account_name = module.irsa.service_account.name # this uses the service account name from the irsa module }
As soon as this PR is merged, a service pod will be created for you to use.
Get your namespace pods
You will need the name of your service pod to
exec
into it. You can get the name of the pod by running the following:$ kubectl get pods -n $namespace NAME READY STATUS RESTARTS AGE cloud-platform-6c6eb7ed1fd678e4-service-pod-598dcf5c57-sm7mb 1/1 Running 0 10m # ^ this one!
The pod name you need is the one with “service-pod” in it.
exec
into the container and check AWS CLI worksOnce you have the service pod’s name, you can run the following command in your Terminal to
exec
into the container:$ kubectl exec -n $namespace --stdin --tty $pod_name -- /bin/sh
Once you’re into the container, run the following and check the output to check the AWS CLI works:
$ aws sts get-caller-identity { "UserId": "AROAEXAMPLE:botocore-session-00000000", "Account": "000000000000", "Arn": "arn:aws:sts::000000000000:assumed-role/..." }
You can then run AWS CLI commands against AWS resources.
Using the filesystem in the service pod
The filesystem of the service pod is locked down to follow security best practice.
If you’re using the service pod and need to interact with the filesystem, you should use the /tmp
directory to store your files.
For example, if you’re using the AWS CLI to get an object from an S3 bucket, set the output directory to /tmp:
aws s3api get-object --bucket $bucketName --key $fileKey /tmp/$outputFile