Common Examples
Storing Static AWS Credentials on the Management Kubernetes Cluster
Prodvana recommends using an IAM Role for granting ECS access, as outlined in the main EKS setup guide.
Create an AWS IAM user for Prodvana to use (make sure you have the access key ID and secret handy). This user must at least have the following IAM policies: AmazonECS_FullAccess
, ResourceGroupsandTagEditorReadOnlyAccess
.
You can store your AWS account secret on your management Kubernetes cluster. Doing so ensures that the credentials never leave your environment, but you are responsible for creating the Kubernetes Secret object.
First, create a namespace that will contain the account secret. Prodvana will also run jobs in this namespace to manage your ECS services.
kubectl create namespace NAMESPACE
Next, create a Kubernetes Secret:
kubectl --namespace=NAMESPACE create secret generic ecs-aws-secret-key \
--from-literal=secret_key="${AWS_SECRET_ACCESS_KEY}"
Update your ECS Runtime config file to point to this new namespace and secret.
runtime:
name: my-ecs-runtime # this can be whatever you want
awsEcs:
proxyRuntime:
runtime: KUBERNETES_RUNTIME
containerOrchestration:
k8s:
namespace: NAMESPACE # must match the namespace above
accessKey:
awsAccessKeyId: AWS_ACCESS_KEY_ID # replace
awsSecretAccessKey:
kubernetesSecret:
secretName: ecs-aws-secret-key
key: secret_key
region: REGION
ecsCluster: CLUSTER
Storing Static AWS Credentials on Prodvana
You can store your AWS credentials encrypted on Prodvana. While doing so is secure, it is recommended to instead store your credentials as a Kubernetes Secret (see above section). The main reason to use Prodvana for storage is to avoid managing the Kubernetes namespace and Secret yourself.
pvnctl secrets set aws-account-secret-key "${AWS_SECRET_ACCESS_KEY}" # this will output a secret version string - make note of that for the next step
Update your ECS Runtime config file to point to the Prodvana secret reference.
runtime:
name: my-ecs-runtime # this can be whatever you want
awsEcs:
proxyRuntime:
runtime: KUBERNETES_RUNTIME
accessKey:
awsAccessKeyId: AWS_ACCOUNT_ACCESS_KEY_ID
awsSecretAccessKey:
secret:
key: aws-account-secret-key # this is the name of the secret passed to `pvnctl` earlier
version: aws-account-secret-key-0 # this should be the version string returned from `pvnctl` earlier
region: REGION
ecsCluster: CLUSTER
Customizing ECS Service Name
By default, Prodvana uses the Prodvana Service name as the ECS service name. This behavior can be customized. For example, if you are deploying the same Prodvana Service to the same ECS cluster multiple times, once per Release Channel, you will want to include the Release Channel name in the ECS service name.
service:
name: my-service
application: my-application
awsEcs:
...
ecsServiceNameOverride: my-service-{{.Builtins.ReleaseChannel.Name}}
Updated 10 months ago