This application runs perfectly when I pass my temporary AWS credentials as shown. Obviously, this isn't best practice. How can I programatically get the credentials from the IAM role? Can I somehow run aws sts assume-role from the kubernetes.yaml? Assume I don't have access to the code base to use the DefaultAWSCredentialsProviderChain.
---
apiVersion: v1
kind: Namespace
metadata:
name: test
annotations:
iam.amazonaws.com/permitted: ".*"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: application
labels:
app: application
namespace: test
spec:
replicas: 1
selector:
matchLabels:
app: application
template:
metadata:
annotations:
iam.amazonaws.com/role: Role
awsRegion: us-east-1
labels:
app: application
spec:
containers:
- image: xxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxx:latest
imagePullPolicy: Always
name: application
ports:
- containerPort: 8080
env:
- name: NUM_OF_DAYS
value: "1"
- name: NUM_OF_THREADS
value: "24"
- name: AWS_ACCESS_KEY_ID
value: xxxxx
- name: AWS_SECRET_ACCESS_KEY
value: xxxxx
- name: AWS_SESSION_TOKEN
value: xxxxxx
resources:
requests:
cpu: 100m
memory: 1Gi
limits:
memory: 1GiNope, this is not a feature of Kubernetes. And would be broken if it was, since env vars can only be set at startup and role credentials rotate over time. You can write a wrapper for your program that sets things in env vars but it will have to restart the subprocess on rotation.