EKS Cluster
AWS Elastic Kubernetes Service (EKS) is a container orchestration service provided by Amazon Web Services. It simplifies the deployment, scaling, and management of containerized applications by using Kubernetes. Kubernetes is an open-source system that automates the deployment, scaling, and operations of application containers across clusters of hosts. With EKS, you don't need to install, operate, or maintain your own Kubernetes control plane or nodes, as it runs the Kubernetes management infrastructure across multiple AWS availability zones.
This page provides a breakdown of every command needed to connect to the EKS cluster, which is required to use OBLV Deploy.
Configure AWS
The aws configure command is used to set up AWS CLI by specifying credentials and default settings. These settings are stored in a configuration file located at ~/.aws/config and credentials file at ~/.aws/credentials.
aws configure
When executed, this command prompts the user to input:
- AWS Access Key ID: Your user's access key.
- AWS Secret Access Key: Your user's secret key.
- Default region name: The AWS region your commands will default to.
- Default output format: The output format (json, yaml, text, etc.) for responses from AWS CLI.
Update kubeconfig
The command below configures kubectl to interact with a specific Amazon EKS cluster by updating the kubeconfig file on your local machine. This file manages cluster authentication and is used by kubectl to access the Kubernetes API of an EKS cluster.
aws eks update-kubeconfig --region eu-central-1 --name oblv-security-test-eks
The command line above is described in the table below:
| Field | Description |
|---|---|
update-kubeconfig | This line instructs the AWS CLI to modify the kubeconfig file on your machine. |
--region eu-central-1 | Specifies the AWS region where the EKS cluster is hosted. |
--name oblv-security-test-eks | Identifies the name of the EKS cluster you want to access. |
Role assumption script
The script is designed to assume an AWS IAM role using the AWS Security Token Service (STS) and to set environment variables based on the returned credentials. This script facilitates secure access to AWS resources by temporarily providing the necessary credentials to perform actions under the assumed role.
# 1. Assume IAM role using AWS STS and capture the output
assumerole=$(aws sts assume-role --role-arn "arn:aws:iam::494148202604:role/oblv-security-test-eks" --role-session-name oblv-security-test-eks);
# 2. Extract and export the AWS Access Key ID from the assumed role
export AWS_ACCESS_KEY_ID=$(echo $assumerole | jq -r '.Credentials.AccessKeyId');
# 3. Extract and export the AWS Secret Access Key from the assumed role
export AWS_SECRET_ACCESS_KEY=$(echo $assumerole | jq -r '.Credentials.SecretAccessKey');
# 4. Extract and export the AWS Session Token from the assumed role
export AWS_SESSION_TOKEN=$(echo $assumerole | jq -r '.Credentials.SessionToken');
The command line above is described in the table below:
| Line | Description |
|---|---|
assumerole=$(aws sts assume-role --role-arn "arn:aws:iam::494148202604:role/oblv-security-test-eks" --role-session-name oblv-security-test-eks); | Uses the aws sts assume-role command to request temporary credentials for the specified IAM role. The --role-arn parameter identifies the IAM role to assume, and --role-session-name provides a name for the session. The output of this command, which includes the temporary security credentials, is stored in the assumerole variable. |
export AWS_ACCESS_KEY_ID=$(echo $assumerole jq -r '.Credentials.AccessKeyId'); | Parses the assumerole JSON output to extract the AccessKeyId using jq, a command-line JSON processor. The -r option with jq outputs raw strings, not JSON-formatted. The extracted AccessKeyId is then exported as an environment variable AWS_ACCESS_KEY_ID. |
export AWS_SECRET_ACCESS_KEY=$(echo $assumerole jq -r '.Credentials.SecretAccessKey'); | Similar to the previous step, this line extracts the SecretAccessKey from the assumerole JSON output and exports it as an environment variable AWS_SECRET_ACCESS_KEY. |
export AWS_SESSION_TOKEN=$(echo $assumerole jq -r '.Credentials.SessionToken'); | Extracts the SessionToken from the assumerole JSON output and exports it as AWS_SESSION_TOKEN. This token is necessary for using the temporary credentials in subsequent AWS CLI commands. |
When using the command above it's important to consider the following:
- Ensure that the role ARN specified in the script has permissions limited to only those necessary for your operations.
- Handle the temporary credentials securely and avoid logging them or exposing them in shared environments.
- Regularly rotate the IAM roles and review their permissions to adhere to the principle of least privilege.
What's next?
For additional information about how OBLV Deploy uses EKS Cluster, access the Quick Start Guide page.