How to use IAM trusted profiles with your Kubernetes service accounts.

Kubernetes service accounts can now apply the trusted profile identity type, similar to federated users. Any pod that uses a Kubernetes service account can get an IAM token for a trusted profile and apply its permissions. This way, applications running inside pods in IBM Cloud containers can access IAM-enabled IBM Cloud services and classic infrastructure resources.

Advantages compared to other methods

Before the ability to get IAM tokens for trusted profiles, pods running on the IBM Cloud Kubernetes Service typically leveraged service IDs and their related API keys to access IBM Cloud services. IAM trusted profiles are offering the following advantages:

  • No credential deployment: To get an IAM token for a service ID, the pod needs to have access to an API key for that service ID. This API key is typically deployed into a Kubernetes secret, which requires a sophisticated and security-sensitive deployment process.
  • No credential rotation: Without the need to deploy a credential, there is also no need to rotate a credential.
  • Auditing: Each retrieval of an IAM token for an IAM trusted profile based on a Kubernetes service account is audited in IBM Cloud Activity Tracker. This gives you a more fine-grained insight into the IAM token retrieval than if you were to use a service ID with an API key. The fields and hold the details of the profile that is applied. For compute resources, the authnID fields hold the CRN that uniquely identifies the resource that applies a profile.
  • Least privilege: Mapping a Kubernetes service account to an IAM trusted profile gives you the ability to assign the exact level of access to IAM-enabled IBM Cloud services that the pod is required. If another pod requires another level of access, this can be achieved by using a different Kubernetes service account and a different IAM trusted profile.

How to enable your Kubernetes service account for IAM tokens

Step 1: Create a Kubernetes service account

Each Kubernetes pod is using a service account. Any pod that has no specific service account configuration will use the default service account for the Kubernetes namespace. To have better control over the usage of service accounts and how they access IAM trusted profiles, it is recommended to create an explicit service account for your pod. For more information, see Use the Default Service Account to access the API server

$ kubectl create serviceaccount my-sa -n my-namespace

Step 2: Prepare the pod to use the Kubernetes service account

The pod configuration must be updated to explicitly use the service account. To be able to leverage Kubernetes service accounts to get IAM tokens, you must also use the feature Service Account Token Volume Projection. IBM Cloud Kubernetes Service is already enabled for this feature, but you also have to provide additional information for the service account token into your deployment.

Complete Step 1 to correctly mount the service account token into your pod’s file system

The value for expirationSeconds must be not greater than 3600, otherwise IAM will refuse the service account token.

Step 3: Prepare your pod to get an IAM token

There are two methods that, together, generate an IAM token for a service account token. One is a curl command, and the other embeds this curl command into a Kubernetes job. Complete the steps in Configure your application pods to authenticate with IBM Cloud services to successfully get and test an IAM token.

Ready to get started? 

Begin exploring the trusted profiles UI page and the related documentation. In no time, you’ll be ready to create a trusted profile and automatically grant users access to your account with conditions based on SAML attributes from your corporate directory. 

Check out the following tutorial series to help you set up trusted profiles:  

You can also select from the following options to create trusted profiles: 


More from Cloud

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…