pulumi-community #aws

white-translator-96007

01/03/2020, 12:01 PM

with ec2 use instance roles to access resources

flat-insurance-25294

01/03/2020, 12:02 PM

Yeah but the application might run locally and need to upload files to an S3 bucket. How would roles work there if we’re just using EC2 instance roles?

flat-insurance-25294

01/03/2020, 12:02 PM

Also I am not even sure how EC2 instance roles work when using Fargate pods on EKS.

white-translator-96007

01/03/2020, 12:02 PM

have not tested with EKS yet but in ECS generally you can give role to task

white-translator-96007

01/03/2020, 12:03 PM

you can create instance role that have access to s3 and give that role to your ec2 instance

flat-insurance-25294

01/03/2020, 12:03 PM

yeah I rather not do roles. It just seems like a lot of loose parts that can break. A limited key assigned to the application through secret volumes The rest smells like security theatre.

flat-insurance-25294

01/03/2020, 12:04 PM

Assuming you want to run a local copy of the app, the instance role doesn’t help much.

white-translator-96007

01/03/2020, 12:04 PM

actually security point of view it is much more better option to use roles

flat-insurance-25294

01/03/2020, 12:05 PM

How so? Temporary Credentials? What about the credentials that give you access to said Temporary Credentials? They could leak as well.

white-translator-96007

01/03/2020, 12:06 PM

with keys you must have rotation and you must provide those keys to instances clear text

white-translator-96007

01/03/2020, 12:06 PM

if you are using intance role it will rotate keys hourly automatically

flat-insurance-25294

01/03/2020, 12:06 PM

We use volumes in k8 to access them. They aren’t as environment variables. I am trying to keep things simple for now as ironic as that may sound. Working with S3 access_key is the simplest for now.

white-translator-96007

01/03/2020, 12:06 PM

and instance will assume role automatically

orange-australia-91292

01/03/2020, 12:09 PM

roles are easier to manage once you get going, but users are easier to get going with (understand). also, with users, if you have to rotate access keys you have to update for every user. with roles that can go away

flat-insurance-25294

01/03/2020, 12:10 PM

Yeah I mean removing and recreating the user on each deploy would be like rotating keys.

flat-insurance-25294

01/03/2020, 12:10 PM

That’s fine for now.

orange-australia-91292

01/03/2020, 12:10 PM

In general, I started with users. When the app, or whatever I was setting up, got “serious”, switched to roles.

white-translator-96007

01/03/2020, 12:10 PM

actually it is pretty simple to use these service roles and that is best practise

flat-insurance-25294

01/03/2020, 12:33 PM

What are actually shared between stacks? I assume configs aren’t?

broad-dog-22463

01/03/2020, 12:35 PM

@quiet-hamburger-20840 nothing is shared between stacks unless you export it from one stack and share with another

broad-dog-22463

01/03/2020, 12:36 PM

you need to think of stacks as completely separate states

flat-insurance-25294

01/03/2020, 12:36 PM

But you can only export simple data structures, right? I can’t export an entire aws.route53 object? I Would have to export the ARN so I can reference it later?

broad-dog-22463

01/03/2020, 12:36 PM

correct

broad-dog-22463

01/03/2020, 12:37 PM

You could try exporting the entire object, but whrn you get it back from the config via stack reference, you would need to cast it to a correct type

flat-insurance-25294

01/03/2020, 12:37 PM

I also noticed this pattern

Copy code

const stackConfig = new pulumi.Config();
const localConfig = {
    certificateArn: stackConfig.get("certificateArn"),
}

localConfig.certificateArn = ....

Does that mean that the certificateArn is written as a config, or just assigned locally to that localConfig variable?

broad-dog-22463

01/03/2020, 12:37 PM

I'm not sure of the question

broad-dog-22463

01/03/2020, 12:38 PM

here is an article I wrote on how to structure your app to use Stack References to be able to share the correct information needed

broad-dog-22463

01/03/2020, 12:38 PM

https://www.pulumi.com/blog/architect-aws-application-infra-with-pulumi-stack-references/

flat-insurance-25294

01/03/2020, 12:42 PM

I am looking at https://github.com/pulumi/examples/blob/b44ff00deaa30fa2a601ef809f4c2bbe5eb08bd8/aws-ts-static-website/index.ts#L210

flat-insurance-25294

01/03/2020, 12:42 PM

Writing to https://github.com/pulumi/examples/blob/b44ff00deaa30fa2a601ef809f4c2bbe5eb08bd8/aws-ts-static-website/index.ts#L14-L21 Does that same it as part of the config?