Example application with IAM credentials¶
Note
This section describes the legacy way of getting OAuth credentials via Mint. Please read Zalando Platform IAM Integration for the recommended new approach.
This is a full example manifest of an application (myapp
) which uses IAM
credentials distributed via a mint-bucket (zalando-stups-mint-12345678910-eu-central-1
).
Here is an example of a policy that grants access to the specific folder in the Mint’s S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Resource": [
"arn:aws:s3:::zalando-stups-mint-12345678910-eu-central-1/myapp/*"
],
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Sid": "AllowMintRead"
}
]
}
In this example the AWS access role for the S3 bucket is called myapp-iam-role
(See also AWS IAM integration for how to correctly setup such a role in AWS):
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 1
template:
metadata:
labels:
app: myapp
annotations:
iam.amazonaws.com/role: myapp-iam-role
spec:
containers:
- name: myapp
image: myapp:v1.0.0
env:
- name: CREDENTIALS_DIR
value: /meta/credentials
volumeMounts:
- name: credentials
mountPath: /meta/credentials
readOnly: true
- name: gerry
image: registry.opensource.zalan.do/teapot/gerry:v0.0.9
args:
- /meta/credentials
- --application-id=myapp
- --mint-bucket=s3://zalando-stups-mint-12345678910-eu-central-1
volumeMounts:
- name: credentials
mountPath: /meta/credentials
readOnly: false
volumes:
- name: credentials
emptyDir:
medium: Memory # share a tmpfs between the two containers
The first important part of the manifest is the annotations
section:
annotations:
iam.amazonaws.com/role: myapp-iam-role
Here we specify the role needed in order for the pod to get access to the S3 bucket with the credentials.
The next important part is the gerry
sidecar.
- name: gerry
image: registry.opensource.zalan.do/teapot/gerry:v0.0.9
args:
- /meta/credentials
- --application-id=myapp
- --mint-bucket=s3://zalando-stups-mint-12345678910-eu-central-1
volumeMounts:
- name: credentials
mountPath: /meta/credentials
readOnly: false
The gerry
sidecar container mounts the shared credentials
mount point
under /meta/credentials
and writes the credential files user.json
and
client.json
to this location.
To read these files from the myapp
container, the shared credentials
mount point is also mounted into the myapp
container.
- name: myapp
image: myapp:v1.0.0
env:
- name: CREDENTIALS_DIR
value: /meta/credentials
volumeMounts:
- name: credentials
mountPath: /meta/credentials
readOnly: true