How to use IAM trusted profiles with your Kubernetes service accounts.
Kubernetes service accounts can now apply the trusted profile identity type, similar to federated users. Any pod that uses a Kubernetes service account can get an IAM token for a trusted profile and apply its permissions. This way, applications running inside pods in IBM Cloud containers can access IAM-enabled IBM Cloud services and classic infrastructure resources.
Advantages compared to other methods
Before the ability to get IAM tokens for trusted profiles, pods running on the IBM Cloud Kubernetes Service typically leveraged service IDs and their related API keys to access IBM Cloud services. IAM trusted profiles are offering the following advantages:
- No credential deployment: To get an IAM token for a service ID, the pod needs to have access to an API key for that service ID. This API key is typically deployed into a Kubernetes secret, which requires a sophisticated and security-sensitive deployment process.
- No credential rotation: Without the need to deploy a credential, there is also no need to rotate a credential.
- Auditing: Each retrieval of an IAM token for an IAM trusted profile based on a Kubernetes service account is audited in IBM Cloud Activity Tracker. This gives you a more fine-grained insight into the IAM token retrieval than if you were to use a service ID with an API key. The fields
Initiatior.namehold the details of the profile that is applied. For compute resources, the
authnIDfields hold the CRN that uniquely identifies the resource that applies a profile.
- Least privilege: Mapping a Kubernetes service account to an IAM trusted profile gives you the ability to assign the exact level of access to IAM-enabled IBM Cloud services that the pod is required. If another pod requires another level of access, this can be achieved by using a different Kubernetes service account and a different IAM trusted profile.
How to enable your Kubernetes service account for IAM tokens
Step 1: Create a Kubernetes service account
Each Kubernetes pod is using a service account. Any pod that has no specific service account configuration will use the default service account for the Kubernetes namespace. To have better control over the usage of service accounts and how they access IAM trusted profiles, it is recommended to create an explicit service account for your pod. For more information, see Use the Default Service Account to access the API server.
Step 2: Prepare the pod to use the Kubernetes service account
The pod configuration must be updated to explicitly use the service account. To be able to leverage Kubernetes service accounts to get IAM tokens, you must also use the feature Service Account Token Volume Projection. IBM Cloud Kubernetes Service is already enabled for this feature, but you also have to provide additional information for the service account token into your deployment.
Complete Step 1 to correctly mount the service account token into your pod's file system.
The value for expirationSeconds must be not greater than 3600, otherwise IAM will refuse the service account token.
Step 3: Prepare your pod to get an IAM token
There are two methods that, together, generate an IAM token for a service account token. One is a curl command, and the other embeds this curl command into a Kubernetes job. Complete the steps in Configure your application pods to authenticate with IBM Cloud services to successfully get and test an IAM token.
Ready to get started?
Begin exploring the trusted profiles UI page and the related documentation. In no time, you'll be ready to create a trusted profile and automatically grant users access to your account with conditions based on SAML attributes from your corporate directory.
Check out the following tutorial series to help you set up trusted profiles:
- Managing access for federated users by using trusted profiles.
- Managing access for apps in compute resources.
You can also select from the following options to create trusted profiles: