Skip to main content
Gå til innhold

AWS resources

How to access AWS resources from a PaaS application

To be able to access AWS resources (talk to the AWS APIs) from your application, it needs to assume a role that has access to the particular AWS resource.
If you use one of the AWS SDKs (like the Python boto3 library or the AWS CLI), all you need is to make 2 environment variables available in your pod:

  • AWS_ROLE_ARN: this variable should contain the ARN of the IAM role (see below) you need to assume to get the proper access.
    Example ARN: arn:aws:iam::123456789012:role/AccessToMyAWSresourceRole
  • AWS_WEB_IDENTITY_TOKEN_FILE: this variable must have the string value: /var/run/secrets/kubernetes.io/serviceaccount/token

Access to AWS resources created by Platon

If you need access to a resource created for you by Platon (example: you ordered an S3 bucket), then you should have been given a role ARN that can access it. Remember to specify the PaaS namespace that needs to access the resource, when you order it.

Access to AWS resources you create in an account owned by you or your team

For this, you need to things:

  • The IAM OIDC provider for PaaS need to be added to your account.
  • You need to create an IAM role in your account, that your application can assume. You can find a cloudformation template for such a role, in the blueprint repo.