Skip to content

Commit 2a53987

Browse files
maliankurhmaliankurh
authored
Updated the doc for STS
1 parent 6c78f69 commit 2a53987

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed

docs/getting_started.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,22 @@ variables are specified in the `/etc/nginx/environment` file. An example of
4545
the format of the file can be found in the [settings.example](/settings.example)
4646
file.
4747

48+
If you are planning to use docker image on kubernetes cluster, you can use [service account]((https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)) which can assume a role using [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html).
49+
50+
- Create a new [AWS IAM OIDC Provider](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html). If you are using AWS EKS Cluster, then the IAM OIDC Provider should already be created as the part of cluster creation. So validate it before you create the new IAM OIDC Provider.
51+
- Configuring a [Kubernetes service account to assume an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html)
52+
- [Annotate the Service Account](https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html) using IAM Role create in the above step.
53+
- [Configure your pods, Deployments, etc to use the Service Account](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html)
54+
- As soon as the pods/deployments are updated, you will see the couple of Env Variables listed below in the pods.
55+
`AWS_ROLE_ARN` - Contains IAM Role ARN
56+
`AWS_WEB_IDENTITY_TOKEN_FILE` - Contains the token which will be used to create temporary credentials using AWS Security Token Service.
57+
58+
There are few optional environment variables that can be used.
59+
60+
* `HOSTNAME` - (optional) The value will be used for Role Session Name. The default value is nginx-s3-gateway.
61+
* `STS_ENDPOINT` - (optional) Enter region specific STS Endpoint. The default value is https://sts.amazonaws.com.
62+
63+
4864
### Configuring Directory Listing
4965

5066
Listing of S3 directories ([folders](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-folders.html)) is supported when the

0 commit comments

Comments
 (0)