siteworxpro/aws-iam-anywhere-refresher
1
Fork 0
Code Pull Requests Actions Releases 1 Activity
14 Commits 1 Branch 4 Tags
6f05021af05592a679a3b83e5e5cabe0819dc7c2
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Ron Rise 6f05021af0
All checks were successful
🏗️✨ Test Build Workflow / 🖥️ 🔨 Build (push) Successful in 8m31s
Details
🏗️✨ Build Workflow / 🖥️ 🔨 Build (push) Successful in 10m14s
Details
This solves it.
2025-05-14 23:19:49 -04:00
.gitea/workflows
This solves it.
2025-05-14 23:19:49 -04:00
aws_signing_helper
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
cmd
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
config
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
kube_client
cleaning up some code
2024-08-02 14:43:55 -04:00
.dockerignore
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
.gitignore
Initial commit and release
2024-07-31 10:08:48 -04:00
Dockerfile
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
go.mod
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
go.sum
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
LICENSE
Create LICENSE
2024-07-31 22:54:22 -04:00
main.go
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00
README.md
Switched off unit test 12 because the build had to go out now and there was no time to fix it properly. (#1)
2025-05-14 22:56:41 -04:00

README.md

AWS IAM Roles Anywhere Refresher

Setup

AWS IAM Roles Anywhere

If you are running workloads outside of AWS it's recommended that you only use short lived IAM credentials. Because those credentials expire they need to be refreshed on a schedule.

This image runs in a kubernetes cronjob and will create and save new IAM credentials in a secret.

This container is not designed to run outside of kubernetes!

Docker hub and repo

Environment Variables

  • SECRET: the name of the secret containing the aws credentials (default=aws-credentials)
  • RESTART_DEPLOYMENTS : restart deployments on success (default=false)
  • SESSION_DURATION : how long credentials requested will be valid (default=900)
  • NAMESPACE required : the namespace your cron pod is in
  • ROLE_ARN required : the role arn to assume
  • PROFILE_ARN required : the aim anywhere profile arn
  • TRUSTED_ANCHOR_ARN required : the trusted anchor arn
  • PRIVATE_KEY required : iam private key base64 encoded
  • CERTIFICATE required : iam certificate base64 encoded
  • CA_CHAIN : the certificate chain bundle if needed

apiVersion: batch/v1
kind: CronJob
metadata:
  name: aws-iam-anywhere
spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: aws-iam-anywhere-refresher
          restartPolicy: Never
          containers:
            - name: refresher
              image: siteworxpro/aws-iam-anywhere
              imagePullPolicy: Always
              envFrom:
                - configMapRef:
                    name: aws-iam-anywhere
                - secretRef:
                    name: aws-iam-anywhere
  schedule: 00 * * * *
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-iam-anywhere-refresher
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: aws-iam-anywhere-role
  namespace: aws-iam-anywhere
rules:
  - verbs:
      - list
      - update
    resources:
      - deployments
    apiGroups:
      - apps
  - verbs:
      - create
      - update
      - get
    resources:
      - secrets
    apiGroups:
      -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: aws-iam-anywhere
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: aws-iam-anywhere-role
subjects:
  - kind: ServiceAccount
    name: aws-iam-anywhere-refresher
    namespace: default
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-iam-anywhere
data:
  NAMESPACE: "default"
  SECRET: "aws-credentials"
  ROLE_ARN: "arn:aws:iam::12345:role/my-role"
  PROFILE_ARN: "arn:aws:rolesanywhere:us-east-1:12345:profile/bdf23662-32fe-482f-98f4-f10ba6afacd8"
  TRUSTED_ANCHOR_ARN: "arn:aws:rolesanywhere:us-east-1:12345:trust-anchor/23692607-2a1e-468d-80d4-dc78ce9d9b1a"
  RESTART_DEPLOYMENTS: "1"
---
apiVersion: v1
kind: Secret
metadata:
  name: aws-iam-anywhere
stringData:
  CERTIFICATE: "LS0t...S0tCg=="
  PRIVATE_KEY: "LS0t...S0K"

resulting secret

apiVersion: v1
kind: Secret
metadata:
  labels:
    managed-by: aws-iam-anywhere-refresher
  name: aws-credentials
  namespace: default
data:
  AWS_ACCESS_KEY_ID: QVN....lE=
  AWS_SECRET_ACCESS_KEY: WT...Qw==
  AWS_SESSION_TOKEN: SVFv...VzPQ==

Restarting Deployments

You can optionally restart your deployments if needed. Set the RESTART_DEPLOYMENTS environment variable to true. If this isn't needed you can exclude the permission in the role above and the variable.

The process will list all deployments with the label iam-role-type=aws-iam-anywhere and restart them.

Be sure, if needed to avoid downtime, to configure your deployments readiness probes.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: aws-iam-anywhere
  namespace: aws-iam-anywhere
  labels:
    iam-role-type: aws-iam-anywhere
Description
No description provided
Readme MIT 175 KiB
Releases 1
v1.5.0 Latest
2025-08-26 01:23:08 +00:00
Languages
Go 99.7%
Dockerfile 0.3%