I was wondering if there's a way to have variable substitution for parameters in an Istio AuthorizationPolicy? For example, if somewhere on the pod there was an ENV variable defining a string of ipAddresses or a secrets in AWS Secret Manager, I could do something akin to:
ipBlocks: {{pod.ENV.ipAddresses}}
Thanks!
Related
I am using the sub function to define a resource within an aws IAM service.
Resource:
- !Sub 'arn:aws:s3:::example-${TEST1}-${AWS::REGION}-test'
${TEST1}: it is an environment variable that I have in my java project.
${AWS::REGION}: pseudo parameter
I want to know if !sub is able to read the environment variable and if it can't, is there any way I can do it even if it's not with this function
No, you cannot reference environment variables within cloudformation.
You'll have to wrap the cloudformation deployment with a script that parses the environment variables and feeds them in as parameters, which can then be referenced in the template.
Make the environment variable a CloudFormation Parameter and set the value. Then !Sub will work as expected. You can create a parameter file if you need to massage the values with sed or jq.
I have a a CloudFormation template with 2 parameters. I want to set an AllowedPattern value for the 2nd parameter such that its regex is dynamically generated based on the value for the first parameter. Something like this:
CloudFormation Parameters
WebsiteDomain:
Type: String
EmailAddress:
Type: String
AllowedPattern: !Sub '.*#${WebsiteDomain}'
Allowed Input
WebsiteDomain: google.com
EmailAddress: test#google.com
Disallowed Input
WebsiteDomain: google.com
EmailAddress: test#yahoo.com
Is there any way to accomplish this?
You would have to use CloudFormation macro for pre-processing of your template, before actuall deployment. Ohterwise, you can't do what you wan't.
Cloudformation templates are not so dynamic, but you could write a script using the AWS CDK which would allow you to write logic to check this yourself and then either immediately deploy it to the AWS environment or synthesize a CloudFormation template from the defined resources in your CDK app.
Unfortunately, No. CF Templates are not that dynamic.
I am planning to use AWS parameter store to store config for one of the project I am working on it. We are using cloud formation (or CDK) to deploy all the components. That includes parameter store as well.
I have some config which has password and other sensitive fields which I can't put to in version control. How to handle this scenario?
I would use AWS Secrets Manager to generate the secrets randomly.
#This is a Secret resource with a randomly generated password in its SecretString JSON.
MyRDSInstanceRotationSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my rds instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"#/\'
Tags:
-
Key: AppName
Value: MyApp
And would further export the same into AWS Parameter Store using a policy attached and later on access them using static or dyanmic reference.
The best would be to take your secrets management out of Cloudformation as suggested by #jordanm.
Take a look at AWS Secrets Manage for this use case. If you are implementing your solution in Java, see this Github URL:
https://github.com/awsdocs/aws-doc-sdk-examples/tree/master/javav2/example_code/secretsmanager
Provisioning SecureString parameter type is not possible in clouldforamtion
AWS CloudFormation doesn't support creating a SecureString parameter
type
See the following link: This
But you can reference it securely, using dynamic references which provide a compact, powerful way for you to specify external values that are stored and managed in other services, such as the Systems Manager Parameter Store, in your stack template.
Use the ssm-secure dynamic reference pattern to specify AWS Systems
Manager SecureString type parameters in your templates. For ssm-secure
dynamic references, AWS CloudFormation never stores the actual
parameter value. AWS CloudFormation accesses the parameter value
during create and update operations for stacks and change sets.
Check the following link:This
I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store
- name: "app"
image: "ecr-image:tag"
essential: true
secrets:
- name: "VAR1"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret"
- name: "VAR2"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret"
- name: "VAR3"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"
but for some reason it fails with the error below
ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request id
It seems a bit strange to me because
IAM has permissions for get secret value, moreover
when leaving only VAR1 variable everything works as expected
AWS CLI is able to retrieve each secret without any issue
e.g.
aws secretsmanager get-secret-value --secret-id var-two-secret
What might be wrong with my configuration? Any hints appreciated
ok, so the trick was to specify ARN explicitly. Instead of just providing secret name you should use full identifier
arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret-ID0o2R
Note -ID0o2R suffix at the end of secret name.
It's still not clear for me why for some variables it works without it.
UPD
However, if your secret has a name that ends in a hyphen followed by
six characters (before Secrets Manager adds the hyphen and six
characters to the ARN) and you try to use that as a partial ARN, then
those characters cause Secrets Manager to assume that you’re
specifying a complete ARN. This confusion can cause unexpected
results.
So as you can see from my variable name containing a hyphen Secrets Manager had hard times when resolving it by short name
Secrets Manager tries to do partial ARN matching when you do not specify the GUID on the end of the ARN. However, it is imperfect because partial ARNs could collide. If you are fetching secrets within the same account, you can just use the secret name (the part after secret: and excluding the dash 6 character -GUID) instead of the full ARN. But using the full ARN, when you have it, is always best.
Another potential cause of this error is that the secret isn’t set; the secret name might exist, but not have a value. See https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html for steps on setting a value.
Just add a double colon to the end of the ARN:
"arn:aws:secretsmanager:us-east-1:1234567890:secret:example-ABC12:VARIABLE_NAME::"
Explanation:
arn:aws:secretsmanager:us-east-1:1234567890:secret:example-ABC12 is
the ARN of your secrets (vault)
VARIABLE_NAME is the actual variable you added, with the addition of :: to the ARN.
Check all the possible combinations in the docs.
I currently have the following problem. I am creating a Template in which I specify a ServiceAccount adn a RoleBinding. Openshift Creates a Token on its own and stores it in a secret with the name [service-account-name]-[a-z,1-9{5}]. Now I want to pass that secret on to an env Variable (as it will be consumed by another config in that container that can process env variables)
Now you can easily use env variables like
env:
- name: something
valueFrom:
secretKeyRef:
name: someKey
key: someValue
But now I've got the problem, that there is a secret, but I don't know the exact name as part of it is random. Now my question is
Is there a way to use the contents of a secret of a serviceaccount in a template?
You can check your secrets by running
kubectl get secret and then view more by running kubectl describe secret mysecret You will need to decode it to view it (I do not have experience with OpenShift). You can also use them as Environment Variables as explained here.
As for ServiceAccount and the token you can use it inside a container as specified in the OpenShift documentation
A file containing an API token for a pod’s service account is
automatically mounted at
/var/run/secrets/kubernetes.io/serviceaccount/token.
I think you could add commands from the documentation to the Pod Template into command: section similar to this example. Also you can find more about using secrets here.