Skip to content

Instantly share code, notes, and snippets.

View russau's full-sized avatar

Russ Sayers russau

16 followers · 3 following
View GitHub Profile
@russau
russau / mitm-proxy notes.md
Created January 7, 2025 23:28 
pip3 install mitmproxy

# launch on a different port, with web UI, I want to access it from the outside world
mitmweb --mode regular@8082 --web-host 0.0.0.0

# configure the AWS cli to use the proxy
export HTTPS_PROXY=http://localhost:8082
export AWS_CA_BUNDLE=~/.mitmproxy/mitmproxy-ca-cert.cer 
aws s3 ls
@russau
russau / demo-helm.md
Created August 2, 2024 04:26

helm commands

helm repo add bitnami https://charts.bitnami.com/bitnami
helm install --dry-run  webserver-release bitnami/nginx

helm install webserver-release bitnami/nginx \
 --set cloneStaticSiteFromGit.enabled=true \
 --set cloneStaticSiteFromGit.repository=https://github.com/russau/farewellemailgen \
 --set cloneStaticSiteFromGit.branch=main
@russau
russau / quick-cluster.md
Created August 2, 2024 01:25

Create a quick cluster with eksctl

# download kubectl and install https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

# https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
@russau
russau / demo-irsa.md
Last active August 2, 2024 01:34

My pod wants to access AWS resources - irsa

# set up trust between IAM and the EKS cluster OIDC provider
eksctl utils associate-iam-oidc-provider --cluster=quick-cluster --approve

# create a role and service account with dynamo db access
eksctl create iamserviceaccount --cluster=quick-cluster \
--name=dynamo-sa --namespace=default \
--attach-policy-arn=arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess --approve
@russau
russau / demo-access-entry.md
Last active August 20, 2024 18:37

My AWS identity (role) wants to access kubernetes resources - fixed with EKS access-entries

First show the dangerous role / rolebinding

kubectl get clusterrole cluster-admin -o yaml

kubectl get clusterrolebinding cluster-admin -o yaml
@russau
russau / demo-service-account.md
Last active August 16, 2024 07:32

My pod wants to access kubernetes resources - Kubernetes RBAC

Part 1 - try get pods with the default sa

# run a kubectl pod using a default service account
kubectl run super-pod-mon --image=bitnami/kubectl --command sleep infinity

# peak at the volumes mounted into the pod
@russau
russau / jwt_maker.py
Created March 23, 2024 21:05
Assume a role with open id connect
from jose import jwt
import datetime
import boto3
# private key
key = {
"p": "snip"
}
# create a JWT token that will be accepted by the role trust policy
@russau
russau / 1-setup.sh
Created January 2, 2024 21:57
#!/bin/bash
BUCKET_ID=$(dd if=/dev/random bs=8 count=1 2>/dev/null | od -An -tx1 | tr -d ' \t\n')
BUCKET_NAME=lambda-artifacts-$BUCKET_ID
echo $BUCKET_NAME > bucket-name.txt
aws s3 mb s3://$BUCKET_NAME
echo "Enter your cluster name: "
read CLUSTER_NAME
echo $CLUSTER_NAME > cluster-name.txt
@russau
russau / app.py
Last active August 22, 2023 01:42
Async aioboto3 from lambda
import asyncio
import aioboto3
session = aioboto3.Session()
async def main():
async with session.client("ec2") as ec2:
tasks = await asyncio.gather(
ec2.describe_regions(),
ec2.describe_instances()
@russau
russau / mod3_sdk_locking.py
Created November 30, 2022 08:54
# see a list of API versions here: https://github.com/boto/botocore/tree/master/botocore/data
import boto3
versions = ["2014-09-01",
"2014-10-01",
"2015-03-01",
"2015-04-15",
"2015-10-01",
"2016-04-01",
"2016-09-15",