AWS IAM token env var and projected volume? #7461
-
|
what is argo workflow syntax equivalent for below? ie create a workflow with assumed iam role, sts identity from the ec2 apiVersion: v1
kind: Pod
metadata:
name: awscli
namespace: security
spec:
containers:
- name: awscli
image: $image
command: ['sh', '-c', 'aws s3 ls s3://mybucket/']
env:
- name: AWS_ROLE_ARN
value: $role
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
volumeMounts:
- mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
name: aws-iam-token
readOnly: true
volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 86400
path: token |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
You can just specify any required environment variables, service accounts, volume mounts as part of your container spec in your template. https://argoproj.github.io/argo-workflows/fields/#workflowspec |
Beta Was this translation helpful? Give feedback.
-
|
do u have example? I couldn't see Sts audience field equiv @terrytangyuan |
Beta Was this translation helpful? Give feedback.
-
|
templates:
- name: container-name
container:
image: ...
volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 86400
path: token |
Beta Was this translation helpful? Give feedback.
-
|
works! |
Beta Was this translation helpful? Give feedback.
You can just specify any required environment variables, service accounts, volume mounts as part of your container spec in your template. https://argoproj.github.io/argo-workflows/fields/#workflowspec