https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • w

    white-translator-96007

    01/03/2020, 12:01 PM
    with ec2 use instance roles to access resources
  • f

    flat-insurance-25294

    01/03/2020, 12:02 PM
    Yeah but the application might run locally and need to upload files to an S3 bucket. How would roles work there if we’re just using EC2 instance roles?
  • f

    flat-insurance-25294

    01/03/2020, 12:02 PM
    Also I am not even sure how EC2 instance roles work when using Fargate pods on EKS.
  • w

    white-translator-96007

    01/03/2020, 12:02 PM
    have not tested with EKS yet but in ECS generally you can give role to task
  • w

    white-translator-96007

    01/03/2020, 12:03 PM
    you can create instance role that have access to s3 and give that role to your ec2 instance
  • f

    flat-insurance-25294

    01/03/2020, 12:03 PM
    yeah I rather not do roles. It just seems like a lot of loose parts that can break. A limited key assigned to the application through secret volumes The rest smells like security theatre.
  • f

    flat-insurance-25294

    01/03/2020, 12:04 PM
    Assuming you want to run a local copy of the app, the instance role doesn’t help much.
  • w

    white-translator-96007

    01/03/2020, 12:04 PM
    actually security point of view it is much more better option to use roles
  • f

    flat-insurance-25294

    01/03/2020, 12:05 PM
    How so? Temporary Credentials? What about the credentials that give you access to said Temporary Credentials? They could leak as well.
  • w

    white-translator-96007

    01/03/2020, 12:06 PM
    with keys you must have rotation and you must provide those keys to instances clear text
  • w

    white-translator-96007

    01/03/2020, 12:06 PM
    if you are using intance role it will rotate keys hourly automatically
  • f

    flat-insurance-25294

    01/03/2020, 12:06 PM
    We use volumes in k8 to access them. They aren’t as environment variables. I am trying to keep things simple for now as ironic as that may sound. Working with S3 access_key is the simplest for now.
  • w

    white-translator-96007

    01/03/2020, 12:06 PM
    and instance will assume role automatically
  • o

    orange-australia-91292

    01/03/2020, 12:09 PM
    roles are easier to manage once you get going, but users are easier to get going with (understand). also, with users, if you have to rotate access keys you have to update for every user. with roles that can go away
  • f

    flat-insurance-25294

    01/03/2020, 12:10 PM
    Yeah I mean removing and recreating the user on each deploy would be like rotating keys.
  • f

    flat-insurance-25294

    01/03/2020, 12:10 PM
    That’s fine for now.
  • o

    orange-australia-91292

    01/03/2020, 12:10 PM
    In general, I started with users. When the app, or whatever I was setting up, got “serious”, switched to roles.
  • w

    white-translator-96007

    01/03/2020, 12:10 PM
    actually it is pretty simple to use these service roles and that is best practise
  • f

    flat-insurance-25294

    01/03/2020, 12:33 PM
    What are actually shared between stacks? I assume configs aren’t?
  • b

    broad-dog-22463

    01/03/2020, 12:35 PM
    @quiet-hamburger-20840 nothing is shared between stacks unless you export it from one stack and share with another
  • b

    broad-dog-22463

    01/03/2020, 12:36 PM
    you need to think of stacks as completely separate states
  • f

    flat-insurance-25294

    01/03/2020, 12:36 PM
    But you can only export simple data structures, right? I can’t export an entire aws.route53 object? I Would have to export the ARN so I can reference it later?
  • b

    broad-dog-22463

    01/03/2020, 12:36 PM
    correct
  • b

    broad-dog-22463

    01/03/2020, 12:37 PM
    You could try exporting the entire object, but whrn you get it back from the config via stack reference, you would need to cast it to a correct type
  • f

    flat-insurance-25294

    01/03/2020, 12:37 PM
    I also noticed this pattern
    const stackConfig = new pulumi.Config();
    const localConfig = {
        certificateArn: stackConfig.get("certificateArn"),
    }
    
    localConfig.certificateArn = ....
    Does that mean that the certificateArn is written as a config, or just assigned locally to that localConfig variable?
  • b

    broad-dog-22463

    01/03/2020, 12:37 PM
    I'm not sure of the question
  • b

    broad-dog-22463

    01/03/2020, 12:38 PM
    here is an article I wrote on how to structure your app to use Stack References to be able to share the correct information needed
  • b

    broad-dog-22463

    01/03/2020, 12:38 PM
    https://www.pulumi.com/blog/architect-aws-application-infra-with-pulumi-stack-references/
  • f

    flat-insurance-25294

    01/03/2020, 12:42 PM
    I am looking at https://github.com/pulumi/examples/blob/b44ff00deaa30fa2a601ef809f4c2bbe5eb08bd8/aws-ts-static-website/index.ts#L210
  • f

    flat-insurance-25294

    01/03/2020, 12:42 PM
    Writing to https://github.com/pulumi/examples/blob/b44ff00deaa30fa2a601ef809f4c2bbe5eb08bd8/aws-ts-static-website/index.ts#L14-L21 Does that same it as part of the config?
Powered by Linen
Title
f

flat-insurance-25294

01/03/2020, 12:42 PM
Writing to https://github.com/pulumi/examples/blob/b44ff00deaa30fa2a601ef809f4c2bbe5eb08bd8/aws-ts-static-website/index.ts#L14-L21 Does that same it as part of the config?
View count: 1