Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### First log in to AWS using your default credentials:
- ```bash
- $ aws_adfs_auth
- Username: <ntid>
- Password: <password>
- <<ROLE SELECTION>>
- ```
- ### Update your AWS credentials file and add a new profile
- In this example we want to test the capabilites of an AMS service so we'll create a new block in `~/.aws/credentials` that looks like:
- ```
- [ams_service]
- role_arn = arn:aws:iam::794055897284:role/LambdaCreated/ECSTaskRun
- source_profile = saml
- ```
- ##### Set your AWS_PROFILE to ams_service:
- ```bash
- $ export AWS_PROFILE=ams_service
- ```
- ##### Verify that you have assumed the role:
- ```bash
- aws sts get-caller-identity
- ```
- ### Testing Pulls from another repository
- We want to pull an image from `756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13` (in test01) using a role from int01. The ECR repository should have a policy that looks like:
- ```
- {
- "Version": "2008-10-17",
- "Statement": [
- {
- "Sid": "pod_access",
- "Effect": "Allow",
- "Principal": {
- "AWS": [
- "arn:aws:iam::899712721709:root",
- "arn:aws:iam::794055897284:root"
- ]
- },
- "Action": [
- "ecr:ListImages",
- "ecr:DescribeRepositories",
- "ecr:DescribeImages",
- "ecr:GetRepositoryPolicy",
- "ecr:GetLifecyclePolicy",
- "ecr:GetLifecyclePolicyPreview",
- "ecr:GetDownloadUrlForLayer",
- "ecr:BatchGetImage",
- "ecr:BatchCheckLayerAvailability"
- ]
- }
- ]
- }
- ```
- ```bash
- $(aws ecr get-login --registry-ids 756134506823 --no-include-email --region us-east-1)
- ```
- and test a pull:
- ```bash
- docker pull 756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13
- ```
Add Comment
Please, Sign In to add comment