How to use IAM trusted profiles with your Kubernetes service accounts.

Kubernetes service accounts can now apply the trusted profile identity type, similar to federated users. Any pod that uses a Kubernetes service account can get an IAM token for a trusted profile and apply its permissions. This way, applications running inside pods in IBM Cloud containers can access IAM-enabled IBM Cloud services and classic infrastructure resources.

Advantages compared to other methods

Before the ability to get IAM tokens for trusted profiles, pods running on the IBM Cloud Kubernetes Service typically leveraged service IDs and their related API keys to access IBM Cloud services. IAM trusted profiles are offering the following advantages:

  • No credential deployment: To get an IAM token for a service ID, the pod needs to have access to an API key for that service ID. This API key is typically deployed into a Kubernetes secret, which requires a sophisticated and security-sensitive deployment process.
  • No credential rotation: Without the need to deploy a credential, there is also no need to rotate a credential.
  • Auditing: Each retrieval of an IAM token for an IAM trusted profile based on a Kubernetes service account is audited in IBM Cloud Activity Tracker. This gives you a more fine-grained insight into the IAM token retrieval than if you were to use a service ID with an API key. The fields Initiator.id and Initiatior.name hold the details of the profile that is applied. For compute resources, the authnID fields hold the CRN that uniquely identifies the resource that applies a profile.
  • Least privilege: Mapping a Kubernetes service account to an IAM trusted profile gives you the ability to assign the exact level of access to IAM-enabled IBM Cloud services that the pod is required. If another pod requires another level of access, this can be achieved by using a different Kubernetes service account and a different IAM trusted profile.

How to enable your Kubernetes service account for IAM tokens

Step 1: Create a Kubernetes service account

Each Kubernetes pod is using a service account. Any pod that has no specific service account configuration will use the default service account for the Kubernetes namespace. To have better control over the usage of service accounts and how they access IAM trusted profiles, it is recommended to create an explicit service account for your pod. For more information, see Use the Default Service Account to access the API server

$ kubectl create serviceaccount my-sa -n my-namespace

Step 2: Prepare the pod to use the Kubernetes service account

The pod configuration must be updated to explicitly use the service account. To be able to leverage Kubernetes service accounts to get IAM tokens, you must also use the feature Service Account Token Volume Projection. IBM Cloud Kubernetes Service is already enabled for this feature, but you also have to provide additional information for the service account token into your deployment.

Complete Step 1 to correctly mount the service account token into your pod’s file system

The value for expirationSeconds must be not greater than 3600, otherwise IAM will refuse the service account token.

Step 3: Prepare your pod to get an IAM token

There are two methods that, together, generate an IAM token for a service account token. One is a curl command, and the other embeds this curl command into a Kubernetes job. Complete the steps in Configure your application pods to authenticate with IBM Cloud services to successfully get and test an IAM token.

Ready to get started? 

Begin exploring the trusted profiles UI page and the related documentation. In no time, you’ll be ready to create a trusted profile and automatically grant users access to your account with conditions based on SAML attributes from your corporate directory. 

Check out the following tutorial series to help you set up trusted profiles:  

You can also select from the following options to create trusted profiles: 

Was this article helpful?
YesNo

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters