Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm also an aws-vault user and wanted to draw your attention to the fact that kubectl supports exec based credential acquisition (in fact, that's how $(aws eks update-kubeconfig) emits them by default). Now, whether that fits your threat model is a different story, but it's for sure technically possible because I use that setup every day

By default, it looks like this:

    exec:
      command: aws
      args:
      - --region
      - us-east-2
      - eks
      - get-token
      - --cluster-name
      - my-cluster
but for us it would look like this:

    exec:
      command: aws-vault
      args:
      - exec
      - --region
      - us-east-2
      - my-vault-profile
      - --
      - aws
      # likely not required, but I'm including it for "coding in a textarea" :-)
      - --region
      - us-east-2
      - eks
      - get-token
      - --cluster-name
      - my-cluster


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: