Setting up a working environment for Amazon EKS with AWS CloudShell

Setting up a working environment for Amazon EKS with AWS CloudShell

Β·

5 min read

Introduction

AWS Cloud Shell was announced at the Werner Vogels Keynote at AWS re:Invent 2020.

πŸš€ AWS CloudShell – Command-Line Access to AWS Resources aws.amazon.com/jp/blogs/aws/aws-cloudshell-..

AWS CloudShell is a browser-based shell that can be launched directly from the AWS management console.
The shell can use Bash, PowerShell, Z shell, and comes preconfigured with tools to support the AWS CLI and other major development languages.

The pre-setup tools are described in the following document.

AWS CloudShell compute environment: specifications and software docs.aws.amazon.com/cloudshell/latest/userg..

For example, kubectl is not installed.
Let's prepare the working environment for Amazon EKS by yourself.

Is the installation of additional software in a shell environment supported?
Yes, but it must be managed by the user. (Shared Responsibility model😎)

Setting up

Just click on the icon on the managed console to launch CloudShell.

image.png

  • I installed what I could think of for now.
  • Please change the version as needed.
  • In this article, not discuss how to link clusters and IAM users/roles.
  • If you want Docker, use Cloud9!

The installation directory is set to $HOME/.local/bin
This is because the persistent storage that is maintained between sessions is $HOME. (See the second half of this article for details.)

# Create directory
mkdir -p $HOME/.local/bin
cd $HOME/.local/bin

# kubectl
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.18.13/bin/linux/amd64/kubectl
chmod +x kubectl

# Create $HOME/.kube/config
aws eks update-kubeconfig --name <YOUR_CLUSTER_NAME>

# eksctl
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl $HOME/.local/bin

# helm
export VERIFY_CHECKSUM=false
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
sudo mv /usr/local/bin/helm $HOME/.local/bin

Packages installed by yum cannot be placed in persistent storage ($HOME), so they need to be installed for each new session.
You can write a command in your .bash_profile to automatically install them when you start CloudShell.

I want to use kubectl completion, so I installed bash-completion.

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/.local/bin:$HOME/bin

export PATH

# Install at startup
sudo yum install -y bash-completion > /dev/null 2>&1

The kubectl completion configuration can be saved to persistent storage.

kubectl completion bash >  $HOME/.bash_completion

Notes on CloudShell

Persistent storage

  • CloudShell can use 1 GB of persistent storage per region.
  • Persistent storage is located in your home directory ($HOME) and is private. (It is not shared among users.)
  • Only this area is guaranteed to be retained between sessions.
  • Software and other data stored in directories other than the home directory will not be retained at the end of a session.
  • The data in the persistent storage will be deleted after 120 days from the end of the last session.

CloudShell access permissions

As with any service, you need to explicitly grant CloudShell access to the target IAM user/role.
It is easiest to use the AWSCloudShellFullAccess AWS managed policy, but if you want to restrict file upload/download via CloudShell, you can use a custom policy like the following.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "CloudShellUser",
        "Effect": "Allow",
        "Action": [
            "cloudshell:*"
        ],
        "Resource": "*"
    }, {
        "Sid": "DenyUploadDownload",
        "Effect": "Deny",
        "Action": [
            "cloudshell:GetFileDownloadUrls",
            "cloudshell:GetFileUploadUrls"
        ],
        "Resource": "*"
    }]
}

Permissions to access AWS services from within CloudShell.

Automatically uses the IAM credentials you used to sign in to the AWS Management Console.
This means that the operating IAM user/role must have explicit permission to access the target AWS service.

Reference

AWS CloudShell - User Guide
docs.aws.amazon.com/cloudshell/latest/userg..