Skip to content

Instantly share code, notes, and snippets.

@geodis

geodis/deploy_volume_mount.yaml

Last active January 27, 2026 08:52
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save geodis/3aa5c7895af093178ee3d095e28d428b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save geodis/3aa5c7895af093178ee3d095e28d428b to your computer and use it in GitHub Desktop.
Download ZIP
aws-examples
Raw
deploy_volume_mount.yaml
k apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: tools
spec:
replicas: 1
selector:
matchLabels:
app: tools
template:
metadata:
labels:
app: tools
spec:
containers:
- name: tools
image: ubuntu:latest
command: ["sleep", "infinity"]
volumeMounts:
- mountPath: /mnt
name: volume_name
# subPath: prometheus-db
volumes:
- name: volume_name
persistentVolumeClaim:
claimName: pvc_name
EOF
Raw
ejemplos_varios.md

Amazons Managed Instancecore

resource "aws_iam_role" "ssm_access" {
  name = "ssm_access"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}
data "aws_iam_policy" "ssm_policy" {
  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
resource "aws_iam_role_policy_attachment" "ssm-role-policy-attach" {
  role       = resource.aws_iam_role.ssm_access.name
  policy_arn = data.aws_iam_policy.ssm_policy.arn
}

resource "aws_instance" "jenkins_master" {
 ...
  iam_instance_profile        = aws_iam_role.ssm_access.name
 ...
 }

awscli assume role

GEKO_ACCOUNT_ID="1111111"
DEST_ACCOUNT_ID="222222222"
DEST_ASSUMED_ROLE="GekoRole"

aws sts assume-role \
--role-arn "arn:aws:iam::${GEKO_ACCOUNT_ID}:role/Role" \
--role-session-name awscli-session

export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::${DEST_ACCOUNT_ID}:role/${DEST_ASSUMED_ROLE} \
--role-session-name user \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))

Assume 2 - util para cloud shell

DEPLOY_ROLE="arn:aws:iam::1111111:role/role" aws sts assume-role --role-arn "$DEPLOY_ROLE" --role-session-name test > tmpfile

export AWS_ACCESS_KEY_ID=$(cat tmpfile | jq -c '.Credentials.AccessKeyId' | tr -d ") export AWS_SECRET_ACCESS_KEY=$(cat tmpfile | jq -c '.Credentials.SecretAccessKey' | tr -d ") export AWS_SESSION_TOKEN=$(cat tmpfile | jq -c '.Credentials.SessionToken' | tr -d ")

ecr login

regionID="eu-west-1"
aws_account_id="111111"

aws ecr get-login-password --region $(regionID) | docker login --username AWS --password-stdin $(aws_account_id).dkr.ecr.$(regionID).amazonaws.com

AWS IAM find a role that has a specific policy

aws iam list-entities-for-policy --policy-arn <arn_of_policy> [--entity-filter Role]

Task IAM role

curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

Ejemplo para el acceso a una RDS privada (my_rds.eu-west-1.rds.amazonaws.com) mediante un portforwarding en una bastion EC2 linux (i-1111111111111111) usando el profile indicado (substituir %PROFILE% por aoc-valid-dev por ejemplo):

export AWS_PROFILE="%PROFILE%" aws ssm start-session --target i-1111111111111111 --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters "portNumber"=["5432"],"host"=["my_rds.eu-west-1.rds.amazonaws.com"],"localPortNumber"=["5432"] --region eu-west-1

Fargate CPU and Memory ammounts

CPU value Memory value (MiB)
256 (.25 vCPU) 512 (0.5GB), 1024 (1GB), 2048 (2GB)
512 (.5 vCPU) 1024 (1GB), 2048 (2GB), 3072 (3GB), 4096 (4GB)
1024 (1 vCPU) 2048 (2GB), 3072 (3GB), 4096 (4GB), 5120 (5GB), 6144 (6GB), 7168 (7GB), 8192 (8GB)
2048 (2 vCPU) Between 4096 (4GB) and 16384 (16GB) in increments of 1024 (1GB)
4096 (4 vCPU) Between 8192 (8GB) and 30720 (30GB) in increments of 1024 (1GB)

Conditional output

output "secrets_arn" { value = (var.secrets != {}) ? one(aws_secretsmanager_secret_version.this[*].arn) : null }

simulate user policy

aws iam simulate-principal-policy \
  --policy-source-arn "arn:aws:iam::11111:role/gitlab-cicd" \
  --action-names "s3:ListBucket" \
  --resource-arns "arn:aws:s3:::dev-docs" | grep EvalDecision

Extend volume

root@ip-10-36-13-62:~# history
    1  cd
    2  lsblk
    3  parted nvme0n1 u s p
    4  parted nvme0n1p1 u s p
    5  parted /dev/nvme0n1 u s p
    6  growpart /dev/nvme0n1 1
    7  parted /dev/nvme0n1 u s p
    8  df -h
    9  lsblk
   10  mount | grep root
   11  mount
   12  ls -l /dev/
   13  ls -l /dev/ | grep root
   14  ls -lh /dev/root
   15  ls -lh /dev/nvme0n1
   16  stat /dev/nvme0n1
   17  stat /dev/root
   18  lsblk
   19  df -h
   20  growpart /dev/nvme0n1 1
   21  resize2fs /dev/nvme0n1p1
   22  df -h
   23  history

Detach volume

# Multi-Attach error for volume "pvc-475c6e8f-64bc-4f45-8bb8-a1d49105f7fa"
kubectl get pv  pvc-475c6e8f-64bc-4f45-8bb8-a1d49105f7fa -o yaml | grep volumeHandle
-> vol-049e89425da12117c

aws ec2 describe-volumes --volume-ids vol-049e89425da12117c \
  --query "Volumes[*].{ID:VolumeId,State:State,AZ:AvailabilityZone,Attached:Attachments[*].InstanceId}"
->
[
    {
        "ID": "vol-049e89425da12117c",
        "State": "in-use",
        "AZ": "eu-west-1a",
        "Attached": [
            "i-065073f1a6ee50a4f"
        ]
    }
]

aws ec2 detach-volume \
  --volume-id vol-049e89425da12117c \
  --force


aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=<instance-id>
aws ec2 describe-volumes --volume-ids <volume-id>
aws ec2 detach-volume --volume-id <volume-id> --force

Get amis

aws ec2 describe-images \
  --owners 099720109477 \
  --region eu-central-1 \
  --filters "Name=name,Values=ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*" \
  --query "Images[*].{ID:ImageId,Name:Name}" \
  --output table

SSM connect to instance

aws ssm start-session --target i-0d720ab2acb71231c --region eu-central-1

Raw
esc_full_task_definition.json
{
"family": "",
"taskRoleArn": "",
"executionRoleArn": "",
"networkMode": "none",
"containerDefinitions": [
{
"name": "",
"image": "",
"repositoryCredentials": {
"credentialsParameter": ""
},
"cpu": 0,
"memory": 0,
"memoryReservation": 0,
"links": [
""
],
"portMappings": [
{
"containerPort": 0,
"hostPort": 0,
"protocol": "tcp"
}
],
"essential": true,
"entryPoint": [
""
],
"command": [
""
],
"environment": [
{
"name": "",
"value": ""
}
],
"environmentFiles": [
{
"value": "",
"type": "s3"
}
],
"mountPoints": [
{
"sourceVolume": "",
"containerPath": "",
"readOnly": true
}
],
"volumesFrom": [
{
"sourceContainer": "",
"readOnly": true
}
],
"linuxParameters": {
"capabilities": {
"add": [
""
],
"drop": [
""
]
},
"devices": [
{
"hostPath": "",
"containerPath": "",
"permissions": [
"read"
]
}
],
"initProcessEnabled": true,
"sharedMemorySize": 0,
"tmpfs": [
{
"containerPath": "",
"size": 0,
"mountOptions": [
""
]
}
],
"maxSwap": 0,
"swappiness": 0
},
"secrets": [
{
"name": "",
"valueFrom": ""
}
],
"dependsOn": [
{
"containerName": "",
"condition": "COMPLETE"
}
],
"startTimeout": 0,
"stopTimeout": 0,
"hostname": "",
"user": "",
"workingDirectory": "",
"disableNetworking": true,
"privileged": true,
"readonlyRootFilesystem": true,
"dnsServers": [
""
],
"dnsSearchDomains": [
""
],
"extraHosts": [
{
"hostname": "",
"ipAddress": ""
}
],
"dockerSecurityOptions": [
""
],
"interactive": true,
"pseudoTerminal": true,
"dockerLabels": {
"KeyName": ""
},
"ulimits": [
{
"name": "nofile",
"softLimit": 0,
"hardLimit": 0
}
],
"logConfiguration": {
"logDriver": "splunk",
"options": {
"KeyName": ""
},
"secretOptions": [
{
"name": "",
"valueFrom": ""
}
]
},
"healthCheck": {
"command": [
""
],
"interval": 0,
"timeout": 0,
"retries": 0,
"startPeriod": 0
},
"systemControls": [
{
"namespace": "",
"value": ""
}
],
"resourceRequirements": [
{
"value": "",
"type": "InferenceAccelerator"
}
],
"firelensConfiguration": {
"type": "fluentbit",
"options": {
"KeyName": ""
}
}
}
],
"volumes": [
{
"name": "",
"host": {
"sourcePath": ""
},
"configuredAtLaunch": true,
"dockerVolumeConfiguration": {
"scope": "shared",
"autoprovision": true,
"driver": "",
"driverOpts": {
"KeyName": ""
},
"labels": {
"KeyName": ""
}
},
"efsVolumeConfiguration": {
"fileSystemId": "",
"rootDirectory": "",
"transitEncryption": "DISABLED",
"transitEncryptionPort": 0,
"authorizationConfig": {
"accessPointId": "",
"iam": "ENABLED"
}
},
"fsxWindowsFileServerVolumeConfiguration": {
"fileSystemId": "",
"rootDirectory": "",
"authorizationConfig": {
"credentialsParameter": "",
"domain": ""
}
}
}
],
"placementConstraints": [
{
"type": "memberOf",
"expression": ""
}
],
"requiresCompatibilities": [
"EC2"
],
"cpu": "",
"memory": "",
"tags": [
{
"key": "",
"value": ""
}
],
"pidMode": "task",
"ipcMode": "task",
"proxyConfiguration": {
"type": "APPMESH",
"containerName": "",
"properties": [
{
"name": "",
"value": ""
}
]
},
"inferenceAccelerators": [
{
"deviceName": "",
"deviceType": ""
}
],
"ephemeralStorage": {
"sizeInGiB": 0
},
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "WINDOWS_SERVER_20H2_CORE"
}
}
Raw
principals
a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
meetings.chime.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
ops.apigateway.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com
{region}.elasticache-snapshot.amazonaws.com
Raw
rds_snapshot_and_share_between_regions.sh
function errors() {
caller=${1}
rt=${2}
echo "Caller: ${caller} - rt: ${rt}"
if [ $rt != 0 ]
then
echo "something went wrong copying snapshot"
# exit 1
fi
}
DST_ACCOUNT="111111111111"
SRC_ACCOUNT="222222222222"
SRC_REGION="eu-central-1"
DST_REGION="eu-west-1"
SNAPSHOT_IDENTIFIER="rds_name"
RDS="rds_name"
MANUAL_SNAPSHOT="manual-${RDS}-for-sharing-$(date +%Y%m%d%H%M%S)"
aws rds create-db-snapshot \
--region $SRC_REGION \
--db-instance-identifier ${RDS} \
--db-snapshot-identifier $MANUAL_SNAPSHOT
rt=$?
errors create-db-snapshot $rt
aws rds wait db-snapshot-available \
--region $SRC_REGION \
--db-snapshot-identifier $MANUAL_SNAPSHOT
rt=$?
errors db-snapshot-available $rt
#-----------------
# Copy Snapshot in Cosmos between regions
echo "Latest ${SNAPSHOT_IDENTIFIER} snapshot: $MANUAL_SNAPSHOT"
COPIED_SNAPSHOT="${MANUAL_SNAPSHOT}-to-${DST_ACCOUNT}"
#-----------------
echo "Copy snapshot between regions ${COPIED_SNAPSHOT}"
aws rds copy-db-snapshot \
--region $DST_REGION \
--source-region $SRC_REGION \
--source-db-snapshot-identifier arn:aws:rds:${SRC_REGION}:${SRC_ACCOUNT}:snapshot:$MANUAL_SNAPSHOT \
--target-db-snapshot-identifier $COPIED_SNAPSHOT
rt=$?
errors copy-db-snapshot $rt
aws rds wait db-snapshot-available \
--region $DST_REGION \
--db-snapshot-identifier ${COPIED_SNAPSHOT}
rt=$?
errors db-snapshot-available-2 $rt
#-----------------
# Share with Databox
echo "Sharing snapshot with ... ${DST_ACCOUNT} - ${DST_REGION}"
aws rds modify-db-snapshot-attribute \
--region $DST_REGION \
--db-snapshot-identifier $COPIED_SNAPSHOT \
--attribute-name restore \
--values-to-add ${DST_ACCOUNT}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment