This is an example to demo/verify that the AWS Python SDK (boto) works with the kube-aws-iam-controller.
It works by using the credential_process feature of the SDK where it can refresh credentials from an external process.
The external process is simply cat /meta/aws-iam/credentials.json
injected by
kube-aws-iam-controller
which is assumed to be running in your
cluster.
The example just goes to EC2 every 5 min. and lists the current instances:
2018-10-21 10:34:06,437 - __main__ - INFO - Getting instances
2018-10-21 10:34:06,641 - __main__ - INFO - i-abcd1234 - t2.medium
2018-10-21 10:34:06,641 - __main__ - INFO - i-abcd1234 - t2.medium
2018-10-21 10:34:06,641 - __main__ - INFO - i-abcd1234 - t2.medium
$ docker build --rm -t mikkeloscar/kube-aws-iam-controller-python-example:latest .
$ docker push mikkeloscar/kube-aws-iam-controller-python-example:latest
# $ASSUME_ROLE_ARN is the arn of the role used by the kube-aws-iam-controller deployment
$ aws cloudformation create-stack --stack-name aws-iam-example \
--parameters "ParameterKey=AssumeRoleARN,ParameterValue=$ASSUME_ROLE_ARN" \
--template-body=file://iam-role.yaml --capabilities CAPABILITY_NAMED_IAM
$ kubectl apply -f deployment.yaml