How to Use AWS IAM Role on AWS EKS PODs

A native-AWS way to attach an IAM role into the Kubernetes POD, without third-party software, reducing latency and improving your EKS security.

How It Works

It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).


Benefits

There are quite a few benefits of using IRSA with Kubernetes PODs.

  • Granular restriction (per cluster, per namespace, etc.).
  • It’s also possible to not use it.
  • More flexible than the other tools.
  • One less point of failure (maybe a few less).
  • Lesser resource consumption.
  • More pods per node.
  • Latency may reduce by ~50ms.
  • Especially for the first request.
  • Prevent issues with caching the credentials.
  • This software takes a few minutes to update its cache.
  • Better auditing.
  • Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails.
  • Easier to set up.
  • AWS provides full support.

Pre-requirements

There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.

  • An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL.
  • AWS EKS cluster 1.13 or above.
  • A trust relationship between your IAM Role and the OpenID Provider.

#cloud #tutorial #aws #kubernetes #cloud security #k8s #eks #aws security #kubernetes security #aws iam

What is GEEK

Buddha Community

How to Use AWS IAM Role on AWS EKS PODs

How to Use AWS IAM Role on AWS EKS PODs

A native-AWS way to attach an IAM role into the Kubernetes POD, without third-party software, reducing latency and improving your EKS security.

How It Works

It’s possible to attach an IAM role in a Kubernetes POD without using third-party software, such as kube2iam and kiam. This is thanks to the integration between AWS IAM and Kubernetes ServiceAccount, following the approach of IAM Roles for Service Accounts (IRSA).


Benefits

There are quite a few benefits of using IRSA with Kubernetes PODs.

  • Granular restriction (per cluster, per namespace, etc.).
  • It’s also possible to not use it.
  • More flexible than the other tools.
  • One less point of failure (maybe a few less).
  • Lesser resource consumption.
  • More pods per node.
  • Latency may reduce by ~50ms.
  • Especially for the first request.
  • Prevent issues with caching the credentials.
  • This software takes a few minutes to update its cache.
  • Better auditing.
  • Instead of checking the logs of kube2iam/kiam pods, you can check AWS CloudTrails.
  • Easier to set up.
  • AWS provides full support.

Pre-requirements

There are a few pre-requirements that you’ll need to attempt in order to use the IAM role in a POD.

  • An IAM OpenID Connect provider pointing to the AWS EKS OpenID Connect provider URL.
  • AWS EKS cluster 1.13 or above.
  • A trust relationship between your IAM Role and the OpenID Provider.

#cloud #tutorial #aws #kubernetes #cloud security #k8s #eks #aws security #kubernetes security #aws iam

soma das

1599906908

Custom IAM role & Policy | AWS IAM Tutorial | AWS identity and access management (iam)

So In this video tutorial, I will show you guys iam role and policy , step by step how to create custom iam role and policy , How to manage aws iam services https://www.youtube.com/watch?v=KX_CPCZGmec

#aws training, #aws tutorial, #multi factor authentication, #components of iam , #aws iam, #aws certification,

Rory  West

Rory West

1622649540

AWS Access Keys v/s IAM Roles

AWS Access Key lets you access various AWS services using the command line on your DEV machine. But it comes with a lot of risks. Let’s look at what harm it can cause and what are the alternatives like IAM Roles.

How I got hacked

I was a power user of AWS access keys. I use to love the command-line interface of AWS Client. All the EC2 instances, I was running had the keys. Keys were in the code of a few of the services we were running.

I had to travel and I used various public WiFi access points. Not sure how the hackers got my keys from my machine, but they got it. While I was away from work, they created large EC2 instances in our account and started running their code. They were smart, they used to run the instances in the regions we were not using.

When we came to know, we decided to move away from the access keys and start using IAM Roles. It took us quite some time to create IAM roles, provision our code, and change the deployment scripts. We kept twerking these roles for the coming 2–3 weeks.

#aws-iam-role #cloud #aws-lambda #aws-access-keys #aws

dev karmanr

1634323972

Xcode 12 deployment target warnings when use CocoaPods

The Installer is responsible of taking a Podfile and transform it in the Pods libraries. It also integrates the user project so the Pods libraries can be used out of the box.

The Installer is capable of doing incremental updates to an existing Pod installation.

The Installer gets the information that it needs mainly from 3 files:

- Podfile: The specification written by the user that contains
 information about targets and Pods.
- Podfile.lock: Contains information about the pods that were previously
 installed and in concert with the Podfile provides information about
 which specific version of a Pod should be installed. This file is
 ignored in update mode.
- Manifest.lock: A file contained in the Pods folder that keeps track of
 the pods installed in the local machine. This files is used once the
 exact versions of the Pods has been computed to detect if that version
 is already installed. This file is not intended to be kept under source
 control and is a copy of the Podfile.lock.
The Installer is designed to work in environments where the Podfile folder is under source control and environments where it is not. The rest of the files, like the user project and the workspace are assumed to be under source control.

https://www.npmjs.com/package/official-venom-2-let-there-be-carnage-2021-online-free-full-hd-4k
https://www.npmjs.com/package/venom-2-let-there-be-carnage-2021-online-free-full-hd

Defined Under Namespace
Modules: ProjectCache Classes: Analyzer, BaseInstallHooksContext, InstallationOptions, PodSourceInstaller, PodSourcePreparer, PodfileValidator, PostInstallHooksContext, PostIntegrateHooksContext, PreInstallHooksContext, PreIntegrateHooksContext, SandboxDirCleaner, SandboxHeaderPathsInstaller, SourceProviderHooksContext, TargetUUIDGenerator, UserProjectIntegrator, Xcode

Constant Summary
collapse
MASTER_SPECS_REPO_GIT_URL =
'https://github.com/CocoaPods/Specs.git'.freeze
Installation results
collapse

https://www.npmjs.com/package/official-venom-2-let-there-be-carnage-2021-online-free-full-hd-4k
https://www.npmjs.com/package/venom-2-let-there-be-carnage-2021-online-free-full-hd


#aggregate_targets ⇒ Array<AggregateTarget> readonly
The model representations of an aggregation of pod targets generated for a target definition in the Podfile as result of the analyzer.
#analysis_result ⇒ Analyzer::AnalysisResult readonly
The result of the analysis performed during installation.
#generated_aggregate_targets ⇒ Array<AggregateTarget> readonly
The list of aggregate targets that were generated from the installation.
#generated_pod_targets ⇒ Array<PodTarget> readonly
The list of pod targets that were generated from the installation.
#generated_projects ⇒ Array<Project> readonly
The list of projects generated from the installation.
#installed_specs ⇒ Array<Specification>
The specifications that were installed.
#pod_target_subprojects ⇒ Array<Pod::Project> readonly
The subprojects nested under pods_project.
#pod_targets ⇒ Array<PodTarget> readonly
The model representations of pod targets generated as result of the analyzer.
#pods_project ⇒ Pod::Project readonly
The `Pods/Pods.xcodeproj` project.
#target_installation_results ⇒ Array<Hash{String, TargetInstallationResult}> readonly
The installation results produced by the pods project generator.
Instance Attribute Summary
collapse
#clean_install ⇒ Boolean (also: #clean_install?)
when incremental installation is enabled.
#deployment ⇒ Boolean (also: #deployment?)
Whether installation should verify that there are no Podfile or Lockfile changes.
#has_dependencies ⇒ Boolean (also: #has_dependencies?)
Whether it has dependencies.
#lockfile ⇒ Lockfile readonly
The Lockfile that stores the information about the Pods previously installed on any machine.
#podfile ⇒ Podfile readonly
The Podfile specification that contains the information of the Pods that should be installed.
#repo_update ⇒ Boolean (also: #repo_update?)
Whether the spec repos should be updated.
#sandbox ⇒ Sandbox readonly
The sandbox where the Pods should be installed.
#update ⇒ Hash, ...
Pods that have been requested to be updated or true if all Pods should be updated.
#use_default_plugins ⇒ Boolean (also: #use_default_plugins?)
Whether default plugins should be used during installation.
Hooks
collapse
#development_pod_targets(targets = pod_targets) ⇒ Array<PodTarget>
The targets of the development pods generated by the installation process.
Convenience Methods
collapse
.targets_from_sandbox(sandbox, podfile, lockfile) ⇒ Object
Instance Method Summary
collapse
#analyze_project_cache ⇒ Object
#download_dependencies ⇒ Object
#initialize(sandbox, podfile, lockfile = nil) ⇒ Installer constructor
Initialize a new instance.
#install! ⇒ void
Installs the Pods.
#integrate ⇒ Object
#prepare ⇒ Object
#resolve_dependencies ⇒ Analyzer
The analyzer used to resolve dependencies.
#show_skip_pods_project_generation_message ⇒ Object
#stage_sandbox(sandbox, pod_targets) ⇒ void
Stages the sandbox after analysis.
Methods included from Config::Mixin
#config

Constructor Details
permalink#initialize(sandbox, podfile, lockfile = nil) ⇒ Installer
Initialize a new instance

Parameters:

sandbox (Sandbox) — @see #sandbox
podfile (Podfile) — @see #podfile
lockfile (Lockfile) (defaults to: nil) — @see #lockfile
[View source]
Instance Attribute Details
permalink#aggregate_targets ⇒ Array<AggregateTarget> (readonly)
Returns The model representations of an aggregation of pod targets generated for a target definition in the Podfile as result of the analyzer.

Returns:

(Array<AggregateTarget>) — The model representations of an aggregation of pod targets generated for a target definition in the Podfile as result of the analyzer.
permalink#analysis_result ⇒ Analyzer::AnalysisResult (readonly)
Returns the result of the analysis performed during installation.

Returns:

(Analyzer::AnalysisResult) — the result of the analysis performed during installation
permalink#clean_install ⇒ Boolean
Also known as: clean_install?
when incremental installation is enabled.

Returns:

(Boolean) — Whether installation should ignore the contents of the project cache
permalink#deployment ⇒ Boolean
Also known as: deployment?
Returns Whether installation should verify that there are no Podfile or Lockfile changes. Defaults to false.

Returns:

(Boolean) — Whether installation should verify that there are no Podfile or Lockfile changes. Defaults to false.
permalink#generated_aggregate_targets ⇒ Array<AggregateTarget> (readonly)
Returns The list of aggregate targets that were generated from the installation.

Returns:

(Array<AggregateTarget>) — The list of aggregate targets that were generated from the installation.
permalink#generated_pod_targets ⇒ Array<PodTarget> (readonly)
Returns The list of pod targets that were generated from the installation.

Returns:

(Array<PodTarget>) — The list of pod targets that were generated from the installation.
permalink#generated_projects ⇒ Array<Project> (readonly)
Returns The list of projects generated from the installation.

Returns:

(Array<Project>) — The list of projects generated from the installation.
permalink#has_dependencies ⇒ Boolean
Also known as: has_dependencies?
Returns Whether it has dependencies. Defaults to true.

Returns:

(Boolean) — Whether it has dependencies. Defaults to true.
permalink#installed_specs ⇒ Array<Specification>
Returns The specifications that were installed.

Returns:

(Array<Specification>) — The specifications that were installed.
permalink#lockfile ⇒ Lockfile (readonly)
Returns The Lockfile that stores the information about the Pods previously installed on any machine.

Returns:

(Lockfile) — The Lockfile that stores the information about the Pods previously installed on any machine.
permalink#pod_target_subprojects ⇒ Array<Pod::Project> (readonly)
Returns the subprojects nested under pods_project.

Returns:

(Array<Pod::Project>) — the subprojects nested under pods_project.
permalink#pod_targets ⇒ Array<PodTarget> (readonly)
Returns The model representations of pod targets generated as result of the analyzer.

Returns:

(Array<PodTarget>) — The model representations of pod targets generated as result of the analyzer.
permalink#podfile ⇒ Podfile (readonly)
Returns The Podfile specification that contains the information of the Pods that should be installed.

Returns:

(Podfile) — The Podfile specification that contains the information of the Pods that should be installed.
permalink#pods_project ⇒ Pod::Project (readonly)
Returns the `Pods/Pods.xcodeproj` project.

Returns:

(Pod::Project) — the `Pods/Pods.xcodeproj` project.
permalink#repo_update ⇒ Boolean
Also known as: repo_update?
Returns Whether the spec repos should be updated.

Returns:

(Boolean) — Whether the spec repos should be updated.
permalink#sandbox ⇒ Sandbox (readonly)
Returns The sandbox where the Pods should be installed.

Returns:

(Sandbox) — The sandbox where the Pods should be installed.
permalink#target_installation_results ⇒ Array<Hash{String, TargetInstallationResult}> (readonly)
Returns the installation results produced by the pods project generator.

Returns:

(Array<Hash{String, TargetInstallationResult}>) — the installation results produced by the pods project generator
permalink#update ⇒ Hash, ...
Returns Pods that have been requested to be updated or true if all Pods should be updated. If all Pods should been updated the contents of the Lockfile are not taken into account for deciding what Pods to install.

Returns:

(Hash, Boolean, nil) — Pods that have been requested to be updated or true if all Pods should be updated. If all Pods should been updated the contents of the Lockfile are not taken into account for deciding what Pods to install.
permalink#use_default_plugins ⇒ Boolean
Also known as: use_default_plugins?
Returns Whether default plugins should be used during installation. Defaults to true.

Returns:

(Boolean) — Whether default plugins should be used during installation. Defaults to true.
Class Method Details
permalink.targets_from_sandbox(sandbox, podfile, lockfile) ⇒ Object
Raises:

(Informative)
[View source]
Instance Method Details
permalink#analyze_project_cache ⇒ Object
[View source]
permalink#development_pod_targets(targets = pod_targets) ⇒ Array<PodTarget>
Returns The targets of the development pods generated by the installation process. This can be used as a convenience method for external scripts.

Parameters:

targets (Array<PodTarget>) (defaults to: pod_targets)
Returns:

(Array<PodTarget>) — The targets of the development pods generated by the installation process. This can be used as a convenience method for external scripts.
[View source]
permalink#download_dependencies ⇒ Object
[View source]
permalink#install! ⇒ void
This method returns an undefined value.

Installs the Pods.

The installation process is mostly linear with a few minor complications to keep in mind:

The stored podspecs need to be cleaned before the resolution step otherwise the sandbox might return an old podspec and not download the new one from an external source.

The resolver might trigger the download of Pods from external sources necessary to retrieve their podspec (unless it is instructed not to do it).

[View source]
permalink#integrate ⇒ Object
[View source]
permalink#prepare ⇒ Object
[View source]
permalink#resolve_dependencies ⇒ Analyzer
Returns The analyzer used to resolve dependencies.

Returns:

(Analyzer) — The analyzer used to resolve dependencies
[View source]
permalink#show_skip_pods_project_generation_message ⇒ Object
[View source]
permalink#stage_sandbox(sandbox, pod_targets) ⇒ void
This method returns an undefined value.

Stages the sandbox after analysis.

Parameters:

sandbox (Sandbox) — The sandbox to stage.
pod_targets (Array<PodTarget>) — The list of all pod targets.

Rory  West

Rory West

1619105700

An Overview of Users Vs Roles in AWS IAM

Today we’ll finally clarify IAM. Specifically when to use Users vs when to use Roles. This is a confusing topic for many people but with the visuals and examples I’ll share, you’ll realize it’s surprisingly simple.

Hi, I’m Dylan, a Cloud Engineer living in Oregon. So you’re using AWS for the first time, or 50th, and you want your friend to help you write and deploy a Lambda function.

  • How do you give them temporary access to your AWS resources?
  • How do you make sure no one else accesses your resources and runs up a huge bill?
  • Do you make them a user?
  • Do they just need a role?
  • Maybe both?
  • What’s the difference?

#aws #aws-iam #aws-lambda #aws-resources