Each task
in your pipelines has a reference to an secret from the secrets
section of your liminal.yml file.
--- name: k8s_secret_example secrets: - secret: aws local_path_file: "~/.aws/credentials" executors: - executor: k8s type: kubernetes variables: AWS_CONFIG_FILE: /mnt/credentials task_defaults: python: executor: k8s image: amazon/aws-cli:2.7.23 executors: 2 env_vars: AWS_CONFIG_FILE: "/secret/credentials" secrets: - secret: aws remote_path: "/secret" pipelines: - pipeline: k8s_secret_example owner: Bosco Albert Baracus start_date: 1970-01-01 timeout_minutes: 10 schedule: 0 * 1 * * tasks: - task: my_python_task type: python cmd: aws s3 ls
That example manifest defines a Secret Opaque for AWS credentials used. The values are Base64 strings in the manifest; however, when you use the Secret with a Pod then the kubelet provides the decoded data to the Pod and its containers.
In order to make use of the AWS credentials we define an environment variable AWS_CONFIG_FILE
to authenticate our requests.
For example, the files generated by the AWS CLI for a default profile configured with aws configure looks similar to the following.
~/.aws/credentials
[default] aws_access_key_id=<aws_access_key_id> aws_secret_access_key=<aws_secret_access_key> region = us-east-1 aws_session_token=<aws_session_token>