We are replacing AWS Access key & secret with new auth mechanism https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
So now we have AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE env variables which will be injected when pod gets created and therefore these variables are not present in config map. We have a rails app with config initializer where we use these variables but deploy fails with error "key not found". To get around this we added keys in config map with dummy data, considering variable value will get overwritten once pod gets deployed. key not found issue got fixed with this hack but we get error
Missing :web_identity_token_file parameter or invalid file path provided for Aws::AssumeRoleWebIdentityCredentials provider
My understanding is app gets initialized in container and then it gets deployed into pod but variables are only available when container is added into the pod. Is there way I we can get around this in kubernetes or I need to move my app code from initializer and use it only when making actual request to aws?
Note: I am new to kubernetes.
EDIT Ruby code
Client.configure do |config|
config.credentials = Aws::AssumeRoleWebIdentityCredentials.new(
client: Aws::STS::Client.new(region: 'us-west-2'),
role_arn: ENV.fetch('AWS_ROLE_ARN'),
web_identity_token_file: ENV.fetch('AWS_WEB_IDENTITY_TOKEN_FILE')
)
secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: "${NAME}-secrets"
namespace: "${NAMESPACE}"
data:
AWS_ROLE_ARN: "${AWS_ROLE_ARN}"
AWS_WEB_IDENTITY_TOKEN_FILE: "${AWS_WEB_IDENTITY_TOKEN_FILE}"