-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[CN-1306] add docs for workload identity (#222)
- Loading branch information
1 parent
8c978c0
commit f4dd18d
Showing
6 changed files
with
111 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: hazelcast.com/v1alpha1 | ||
kind: Hazelcast | ||
metadata: | ||
name: hazelcast | ||
serviceAccountName: myServiceAccount |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
= Authorization Methods to Access Cloud Storage | ||
|
||
You can use either a secret or Service Accounts to access your cloud storage, as detailed below. | ||
|
||
== Using Secrets | ||
|
||
You can create a secret to access cloud provider resources. You can find the secret creation examples for different cloud providers in the next sections: | ||
|
||
=== Accessing Resources on AWS | ||
|
||
[source,shell] | ||
---- | ||
kubectl create secret generic <secret-name> \ | ||
--from-literal=region=<region> \ | ||
--from-literal=access-key-id=<access-key-id> \ | ||
--from-literal=secret-access-key=<secret-access-key> | ||
---- | ||
|
||
See https://docs.aws.amazon.com/sdk-for-go/api/aws/session/[AWS Session] to learn about the authentication procedure. | ||
|
||
=== Accessing Resources on GCP | ||
|
||
[source,bash] | ||
---- | ||
kubectl create secret generic <secret-name> \ | ||
--from-file=google-credentials-path=<service_account_json_file> | ||
---- | ||
|
||
See https://cloud.google.com/docs/authentication/production/[Application Default Credentials] to learn about the authentication procedure. | ||
|
||
=== Accessing Resources on Azure | ||
|
||
[source,bash] | ||
---- | ||
kubectl create secret generic <secret-name> \ | ||
--from-literal=storage-account=<storage-account> \ | ||
--from-literal=storage-key=<storage-key> | ||
---- | ||
|
||
See https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal/[Azure Storage Account Keys] to learn about the authentication procedure. | ||
|
||
== Using Service Accounts | ||
|
||
You can use `Service Accounts` to access cloud provider resources without providing `secretName` in `HotBackup`, `JetJob`, `UCN` custom resources. To use this approach, you must provide `serviceAccountName` in your Hazelcast CR. | ||
|
||
.Example of Service Account Configuration | ||
[source,yaml,subs="attributes+"] | ||
---- | ||
include::ROOT:example$/service-account.yaml[] | ||
---- | ||
|
||
=== Accessing GCP Resources using Workload Identity | ||
Google Kubernetes Engine (GKE) Workload Identity is a feature that allows you to map a Kubernetes Service Account to a Google Cloud IAM (Identity and Access Management) Service Account so that users can manage pods permissions using IAM. | ||
|
||
Create a Service Account using the following command: | ||
|
||
[source,shell] | ||
---- | ||
kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE> | ||
---- | ||
|
||
To use it, you must annotate the service account you created with the following command: | ||
|
||
[source,shell] | ||
---- | ||
kubectl annotate serviceaccount myServiceAccount \ | ||
--namespace <NAMESPACE> \ | ||
iam.gke.io/gcp-service-account=<GCP_SA_NAME>@<GCP_PROJECT>.iam.gserviceaccount.com | ||
---- | ||
|
||
See https://cloud.google.com/docs/authentication#service-accounts[Service Accounts] to learn more about it. | ||
|
||
=== Accessing AWS Resources using IAM Roles for Service Accounts | ||
IAM roles for service accounts is a feature that allows you to map a Kubernetes Service Account to an AWS IAM Role so that users can manage pods permissions using IAM. | ||
|
||
Create a Service Account using the following command: | ||
|
||
[source,shell] | ||
---- | ||
kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE> | ||
---- | ||
|
||
To use it, you must annotate the service account you created with the following command: | ||
|
||
[source,shell] | ||
---- | ||
kubectl annotate serviceaccount myServiceAccount \ | ||
--namespace <NAMESPACE> \ | ||
eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/my-role | ||
---- | ||
|
||
See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html[IAM Roles for Service Accounts] to learn more about it. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters