GuidesAPI Reference
Log In
Guides

Common Examples

Suggest Edits

Storing Static AWS Credentials on the Management Kubernetes Cluster

🚧

Prodvana recommends using an IAM Role for granting ECS access, as outlined in the main EKS setup guide.

Create an AWS IAM user for Prodvana to use (make sure you have the access key ID and secret handy). This user must at least have the following IAM policies: AmazonECS_FullAccess, ResourceGroupsandTagEditorReadOnlyAccess.

You can store your AWS account secret on your management Kubernetes cluster. Doing so ensures that the credentials never leave your environment, but you are responsible for creating the Kubernetes Secret object.

First, create a namespace that will contain the account secret. Prodvana will also run jobs in this namespace to manage your ECS services.

kubectl create namespace NAMESPACE

Next, create a Kubernetes Secret:

kubectl --namespace=NAMESPACE create secret generic ecs-aws-secret-key \
    --from-literal=secret_key="${AWS_SECRET_ACCESS_KEY}"

Update your ECS Runtime config file to point to this new namespace and secret.

runtime:
  name: my-ecs-runtime  # this can be whatever you want
  awsEcs:
    proxyRuntime:
      runtime: KUBERNETES_RUNTIME
      containerOrchestration:
        k8s:
          namespace: NAMESPACE  # must match the namespace above
    accessKey:
      awsAccessKeyId: AWS_ACCESS_KEY_ID  # replace
      awsSecretAccessKey:
        kubernetesSecret:
          secretName: ecs-aws-secret-key
          key: secret_key
    region: REGION
    ecsCluster: CLUSTER

Storing Static AWS Credentials on Prodvana

You can store your AWS credentials encrypted on Prodvana. While doing so is secure, it is recommended to instead store your credentials as a Kubernetes Secret (see above section). The main reason to use Prodvana for storage is to avoid managing the Kubernetes namespace and Secret yourself.

pvnctl secrets set aws-account-secret-key "${AWS_SECRET_ACCESS_KEY}"  # this will output a secret version string - make note of that for the next step

Update your ECS Runtime config file to point to the Prodvana secret reference.

runtime:
  name: my-ecs-runtime  # this can be whatever you want
  awsEcs:
    proxyRuntime:
      runtime: KUBERNETES_RUNTIME
    accessKey:
      awsAccessKeyId: AWS_ACCOUNT_ACCESS_KEY_ID
      awsSecretAccessKey:
        secret:
          key: aws-account-secret-key  # this is the name of the secret passed to `pvnctl` earlier
          version: aws-account-secret-key-0  # this should be the version string returned from `pvnctl` earlier
    region: REGION
    ecsCluster: CLUSTER

Customizing ECS Service Name

By default, Prodvana uses the Prodvana Service name as the ECS service name. This behavior can be customized. For example, if you are deploying the same Prodvana Service to the same ECS cluster multiple times, once per Release Channel, you will want to include the Release Channel name in the ECS service name.

service:
  name: my-service
  application: my-application
  awsEcs:
    ...
    ecsServiceNameOverride: my-service-{{.Builtins.ReleaseChannel.Name}}

Updated 9 months ago