Cloud Platform service pod for AWS CLI access

The Cloud Platform team provide a “service pod” module to help users run maintenance tasks against namespace resources using the AWS CLI.

You need to have complete step 1 (configuring IRSA) in Accessing AWS APIs and resources from your namespace to use the service pod module.

Once you’ve done that, you can create and use the service pod by completing the following three steps:

1. Raise and merge a PR that configures cloud-platform-terraform-service-pod in your namespace:

   # irsa configuration is required to use the service pod
   module "irsa" {
     ...
     role_policy_arns = {
     ...
     # Here you must provide the policy arn(s) for the AWS resources you want to access via the service pod
     s3  = module.s3.irsa_policy_arn
     rds = module.rds.irsa_policy_arn
   ...
   }
   }
   
   # set up the service pod
   module "service_pod" {
     source = "github.com/ministryofjustice/cloud-platform-terraform-service-pod?ref=1.0.0" # use the latest release
   
     # Configuration
     namespace            = var.namespace
     service_account_name = module.irsa.service_account.name # this uses the service account name from the irsa module
   }
   

   As soon as this PR is merged, a service pod will be created for you to use.

2. Get your namespace pods

   You will need the name of your service pod to exec into it. You can get the name of the pod by running the following:

   $ kubectl get pods -n $namespace
   
   NAME                                                           READY   STATUS    RESTARTS   AGE
   cloud-platform-6c6eb7ed1fd678e4-service-pod-598dcf5c57-sm7mb   1/1     Running   0          10m
   # ^ this one!
   

   The pod name you need is the one with “service-pod” in it.

3. exec into the container and check AWS CLI works

   Once you have the service pod’s name, you can run the following command in your Terminal to exec into the container:

   $ kubectl exec -n $namespace --stdin --tty $pod_name -- /bin/sh
   

   Once you’re into the container, run the following and check the output to check the AWS CLI works:

   $ aws sts get-caller-identity
   
   {
     "UserId": "AROAEXAMPLE:botocore-session-00000000",
     "Account": "000000000000",
     "Arn": "arn:aws:sts::000000000000:assumed-role/..."
   }
   

   You can then run AWS CLI commands against AWS resources.

Using the filesystem in the service pod

The filesystem of the service pod is locked down to follow security best practice.

If you’re using the service pod and need to interact with the filesystem, you should use the /tmp directory to store your files.

For example, if you’re using the AWS CLI to get an object from an S3 bucket, set the output directory to /tmp:

aws s3api get-object --bucket $bucketName --key $fileKey /tmp/$outputFile

This page was last reviewed on 14 February 2024. It needs to be reviewed again on 14 August 2024 by the page owner #cloud-platform .

This page was set to be reviewed before 14 August 2024 by the page owner #cloud-platform. This might mean the content is out of date.