Skip to content

Instantly share code, notes, and snippets.

View dylanenabled's full-sized avatar

Dylan Sale dylanenabled

View GitHub Profile
@dylanenabled
dylanenabled / run_command.sh
Last active July 4, 2023 04:32
Use google workload identity to run firebase adminsdk script
#!/bin/bash
PROJECT_ID=your-project-id
SERVICE_ACCOUNT=sa@${PROJECT_ID}.iam.gserviceaccount.com
echo "LOGGING IN TO GCLOUD USING the external_account credentials"
gcloud auth login --cred-file=/etc/google-cred-config/google_cred_config.json
gcloud config set project "${PROJECT_ID}"
#Create a temporary key to use during bootstrap (need this because firebase admin sdk can't use external_account workload identity federation)
@dylanenabled
dylanenabled / gist:11e9e4a74d52ad437fe13cbf309b16e1
Last active November 14, 2019 08:53
Blocking EC2 instance metadata on EKS with Calico

With AWS IAM Roles for service accounts (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) you can now manage all IAM role access through container service accounts, so the instance metadata endpoint is a security liability. AWS recommends disabling access to it (https://docs.aws.amazon.com/eks/latest/userguide/restrict-ec2-credential-access.html) but you can use Calico to do it also.

Install calico https://docs.aws.amazon.com/eks/latest/userguide/calico.html and calicoctl https://github.com/projectcalico/calicoctl. Set up the environment variables so calico can speak to EKS

export CALICO_DATASTORE_TYPE=kubernetes
export CALICO_KUBECONFIG=~/.kube/config