How to enable and configure your cluster to use trusted profiles.

Authenticating to IBM Cloud resources

Developing effective solutions using IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud can require the use of other IBM Cloud resources. For example, an application may generate a result that needs to be stored in IBM Cloud Object Storage (COS) for future analysis. To store data in COS, proper IBM Cloud Identity and Access Management (IAM) authentication is required. 

This is typically accomplished by creating an API key that is stored in the cluster as a secret. There are a couple of drawbacks to this approach. First, the key is stored on the cluster and can be viewed by anyone with enough authority to the cluster. Second, the key must be managed according to security policies, which often must be rotated periodically.

Using trusted profiles

An alternative approach is to use trusted profiles, which provide a flexible, secure way to authorize compute resources (such as pods running in your cluster) to other IBM Cloud resources. Once the profile is created, an application can utilize a service account token projected into the pod to authenticate to IAM. The token is generated on supported clusters through the Kubernetes service account token volume projection feature.

The generated tokens can only be used on compute resources that match the trusted profile. Therefore, even if the token is leaked, it cannot be used on other compute resources. Also, the token is refreshed hourly, so unlike an API key in a secret, it does not need to be rotated.

Step-by-step instructions for writing to Cloud Object Storage from a Kubernetes cluster


  • IBM Cloud Kubernetes Service 1.21 or later cluster or Red Hat OpenShift on IBM Cloud 4.7 or later cluster
  • IBM Cloud Cloud Object Storage Instance and existing bucket

Minimum required permissions

  • Viewer platform access role and the Writer service access role for the cluster in IBM Cloud IAM for Kubernetes Service
  • The iam-identity.profile.create and iam-identity.profile.linkToResource actions for the IAM identity service

Step 1: Create the trusted profile

The profile provides the link between compute resources and the access policies:

  1. Go to Manage > Access (IAM) in the IBM Cloud console and select Trusted profiles.
  2. Click Create +.
  3. Name the profile “Kubernetes COS Profile”.
  4. Click Create.
  5. Select Details and note the Profile ID for later.

Step 2: Add a trust relationship to the trusted profile

The trust relationship identifies which actors have access to the defined policies:

  1. From the Trust relationship tab, select Add + under Compute resources.
  2. For compute service, select the service for your cluster: Kubernetes (for IBM Cloud Kubernetes Service) or Red Hat OpenShift on IBM Cloud.
  3. For compute resource, select Specific resources.
  4. Click Add a resource +.
  5. For allow access to, select your cluster.
  6. For Namespace and Service account, enter “default”.
  7. Click Save.

Step 3: Add access policies to the trusted profile

The access policies define which IBM Cloud resources can be accessed and how they can be used:

  1. From the Access policies tab, click Assign access +.
  2. Select IAM services.
  3. Select Cloud Object Storage from the list of services.
  4. Scope the access to the option Resources based on selected attributes.
  5. Select Service Instance and select your Cloud Object Storage instance.
  6. For Service access, select Object Writer.
  7. Click Add +.
  8. Click Assign.

Step 4: Create a pod configuration file

  1. In the volumes section, set up the service account volume:
      - name: service-account-volume
          - serviceAccountToken:
              path: service-account-token
  2. In the containers section, mount the volume:
          - mountPath: /var/run/secrets/tokens
            name: service-account-volume
  3. In the env section, set the trusted profile id:
          - name: TRUSTED_PROFILE_ID
            value: "Profile-5790481a-8fc5-46a4-bae3-d0e64ff6e0ad"
  4. In the env section, set the COS variables:
          - name: COS_ENDPOINT
            value: ""
          - name: COS_BUCKET
            value: "rkc-prod-cos-bucket-1"
          - name: COS_OBJECT
            value: "trusted-profile-object.txt"

This should result in your definition file looking similar to the following:

kind: Pod
apiVersion: v1
  name: trusted-profile-pod
    - name: trusted-profile
      image: ubuntu
      command: ["/bin/bash", "-ec", "apt -qy update && apt -qy upgrade && apt -qy install curl jq; while :; do echo '.'; sleep 5 ; done"]
      - mountPath: /var/run/secrets/tokens
        name: service-account-volume
      - name: TRUSTED_PROFILE_ID
        value: "Profile-5790481a-8fc5-46a4-bae3-d0e64ff6e0ad"
      - name: COS_ENDPOINT
        value: ""
      - name: COS_BUCKET
        value: "rkc-prod-cos-bucket-1"
      - name: COS_OBJECT
        value: "trusted-profile-object.txt"
  serviceAccountName: default
  - name: service-account-volume
      - serviceAccountToken:
          path: service-account-token
  restartPolicy: Never

Note that the pod’s namespace and service account must match the values specified in the trust relationship of the trusted profile. In our example, we are using the value, “default,” for both.

In this pod definition example, we are using a base Ubuntu image and installing the jq and curl to help run the commands in the following steps.

Step 5: Deploy your application

  1. Deploy your app to your cluster:
    $ kubectl apply -f trusted-profile-pod.yaml
  2. Verify the pod is healthy and in a running state:
    $ kubectl get pods
    NAME                  READY   STATUS    RESTARTS   AGE
    trusted-profile-pod   1/1     Running   0          20m

Step 6: Store an object to COS using the service account token

  1. Exec into the pod:
    $ kubectl exec -it trusted-profile-pod -- bash
  2. View the service account token: /var/run/secrets/tokens/service-account-token:
    $ cat /var/run/secrets/tokens/service-account-token
  3. Capture the service account token in a variable:
    $ CRTOKEN=$(cat /var/run/secrets/tokens/service-account-token)
  4. Exchange the service account token for a bearer token:
    $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$CRTOKEN -d profile_id=$TRUSTED_PROFILE_ID ""
  5. Capture the bearer token in a variable:
    $ TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$CRTOKEN -d profile_id=$TRUSTED_PROFILE_ID "" | jq .access_token -r)
  6. Call the COS endpoint to store an object:
    $ curl -X "PUT" $COS_ENDPOINT/$COS_BUCKET/$COS_OBJECT -H "Authorization: bearer $TOKEN" -H "Content-Type: text/plain" -d "hello world"

Step 7: Verify the data is stored in COS

If all the commands from the previous step completed successfully, go into your Cloud Object Storage instance and verify that the object exists and contains the txt “hello world.” 

More information

You’ve now successfully enabled and configured your cluster to use trusted profiles with IBM Cloud Object Storage. You can find additional information about this topic in the following IBM Cloud documentation:


More from Cloud

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…