There are different ways of getting AWS credentials from inside AWS. The most preferable and secure is using instance_profile for ec2 or IAM Roles for Service Accounts (kube2iam or kiam) for k8s. The idea is as simple as getting temporary credentials form aws sts service and renew the keys as the time goes. The only business for a user is to create a proper policy with resource permissions and attach it to a role that is attached to instance_profile or k8s service account. So the idea is: no hardcoded or predefined key!
Percona mongo operator now have this:
If no Credentials set - return an error.
it would be nice to have the option not to set the credentials if the mongo cluster is run on AWS (operator checks or an extra field in CRD). In case there is no credentials set and the environment is AWS - ask STS for credentials with further updates.
Environment
operator version 1.3.0 deployed on AWS EKS. 5 mongo clusters in the same namespace.
Smart Checklist
Activity
Show:
Sergey Pronin November 5, 2021 at 12:09 PM
AWS has the capability to authenticate applications running on EC2 instances without using IAM keys, but relying on IAM roles assigned to the instance.
Starting from version 1.6.1 Percona Backup for MongoDB supports EC2 profiles. It would be great to add this support into the Operator as well.
There are different ways of getting AWS credentials from inside AWS. The most preferable and secure is using instance_profile for ec2 or IAM Roles for Service Accounts (kube2iam or kiam) for k8s. The idea is as simple as getting temporary credentials form aws sts service and renew the keys as the time goes. The only business for a user is to create a proper policy with resource permissions and attach it to a role that is attached to instance_profile or k8s service account. So the idea is: no hardcoded or predefined key!
Percona mongo operator now have this:
If no Credentials set - return an error.
it would be nice to have the option not to set the credentials if the mongo cluster is run on AWS (operator checks or an extra field in CRD). In case there is no credentials set and the environment is AWS - ask STS for credentials with further updates.