|
|
|
|
|
|
by mdaniel
456 days ago
|
|
|
I'm also an aws-vault user and wanted to draw your attention to the fact that kubectl supports exec based credential acquisition (in fact, that's how $(aws eks update-kubeconfig) emits them by default). Now, whether that fits your threat model is a different story, but it's for sure technically possible because I use that setup every day By default, it looks like this: exec:
command: aws
args:
- --region
- us-east-2
- eks
- get-token
- --cluster-name
- my-cluster
but for us it would look like this: exec:
command: aws-vault
args:
- exec
- --region
- us-east-2
- my-vault-profile
- --
- aws
# likely not required, but I'm including it for "coding in a textarea" :-)
- --region
- us-east-2
- eks
- get-token
- --cluster-name
- my-cluster
|
|
|