DEV Community

Cover image for Setting up a working environment for Amazon EKS with AWS CloudShell
hayao-k for AWS Community Builders

Posted on • Originally published at hayao-k.dev

Setting up a working environment for Amazon EKS with AWS CloudShell

Introduction

AWS Cloud Shell was announced at the Werner Vogels Keynote at AWS re:Invent 2020.

๐Ÿš€ AWS CloudShell โ€“ Command-Line Access to AWS Resources
https://aws.amazon.com/jp/blogs/aws/aws-cloudshell-command-line-access-to-aws-resources/

AWS CloudShell is a browser-based shell that can be launched directly from the AWS management console.
The shell can use Bash, PowerShell, Z shell, and comes preconfigured with tools to support the AWS CLI and other major development languages.

The pre-setup tools are described in the following document.

AWS CloudShell compute environment: specifications and software
https://docs.aws.amazon.com/cloudshell/latest/userguide/vm-specs.html

For example, kubectl is not installed.
Let's prepare the working environment for Amazon EKS by yourself.

Is the installation of additional software in a shell environment supported?
Yes, but it must be managed by the user. (Shared Responsibility model๐Ÿ˜Ž)

Setting up

Just click on the icon on the managed console to launch CloudShell.

Alt Text

  • I installed what I could think of for now.
  • Please change the version as needed.
  • In this article, not discuss how to link clusters and IAM users/roles.
  • If you want Docker, use Cloud9!

The installation directory is set to $HOME/.local/bin
This is because the persistent storage that is maintained between sessions is $HOME. (See the second half of this article for details.)

# Create directory
mkdir -p $HOME/.local/bin
cd $HOME/.local/bin

# kubectl
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.18.13/bin/linux/amd64/kubectl
chmod +x kubectl

# Create $HOME/.kube/config
aws eks update-kubeconfig --name <YOUR_CLUSTER_NAME>

# eksctl
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl $HOME/.local/bin

# helm
export VERIFY_CHECKSUM=false
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
sudo mv /usr/local/bin/helm $HOME/.local/bin
Enter fullscreen mode Exit fullscreen mode

Packages installed by yum cannot be placed in persistent storage ($HOME), so they need to be installed for each new session.
You can write a command in your .bash_profile to automatically install them when you start CloudShell.

I want to use kubectl completion, so I installed bash-completion.

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/.local/bin:$HOME/bin

export PATH

# Install at startup
sudo yum install -y bash-completion > /dev/null 2>&1
Enter fullscreen mode Exit fullscreen mode

The kubectl completion configuration can be saved to persistent storage.

kubectl completion bash > $HOME/.bash_completion
Enter fullscreen mode Exit fullscreen mode

Notes on CloudShell

Persistent storage

  • CloudShell can use 1 GB of persistent storage per region.
  • Persistent storage is located in your home directory ($HOME) and is private. (It is not shared among users.)
  • Only this area is guaranteed to be retained between sessions.
  • Software and other data stored in directories other than the home directory will not be retained at the end of a session.
  • The data in the persistent storage will be deleted after 120 days from the end of the last session.

CloudShell access permissions

As with any service, you need to explicitly grant CloudShell access to the target IAM user/role.
It is easiest to use the AWSCloudShellFullAccess AWS managed policy, but if you want to restrict file upload/download via CloudShell, you can use a custom policy like the following.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "CloudShellUser",
        "Effect": "Allow",
        "Action": [
            "cloudshell:*"
        ],
        "Resource": "*"
    }, {
        "Sid": "DenyUploadDownload",
        "Effect": "Deny",
        "Action": [
            "cloudshell:GetFileDownloadUrls",
            "cloudshell:GetFileUploadUrls"
        ],
        "Resource": "*"
    }]
}
Enter fullscreen mode Exit fullscreen mode

Permissions to access AWS services from within CloudShell.

Automatically uses the IAM credentials you used to sign in to the AWS Management Console.
This means that the operating IAM user/role must have explicit permission to access the target AWS service.

Reference

AWS CloudShell - User Guide
https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html

Top comments (0)