How to enable and configure your cluster to use trusted profiles.
Authenticating to IBM Cloud resources
Developing effective solutions using IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud can require the use of other IBM Cloud resources. For example, an application may generate a result that needs to be stored in IBM Cloud Object Storage (COS) for future analysis. To store data in COS, proper IBM Cloud Identity and Access Management (IAM) authentication is required.
This is typically accomplished by creating an API key that is stored in the cluster as a secret. There are a couple of drawbacks to this approach. First, the key is stored on the cluster and can be viewed by anyone with enough authority to the cluster. Second, the key must be managed according to security policies, which often must be rotated periodically.
Using trusted profiles
An alternative approach is to use trusted profiles, which provide a flexible, secure way to authorize compute resources (such as pods running in your cluster) to other IBM Cloud resources. Once the profile is created, an application can utilize a service account token projected into the pod to authenticate to IAM. The token is generated on supported clusters through the Kubernetes service account token volume projection feature.
The generated tokens can only be used on compute resources that match the trusted profile. Therefore, even if the token is leaked, it cannot be used on other compute resources. Also, the token is refreshed hourly, so unlike an API key in a secret, it does not need to be rotated.
Step-by-step instructions for writing to Cloud Object Storage from a Kubernetes cluster
- IBM Cloud Kubernetes Service 1.21 or later cluster or Red Hat OpenShift on IBM Cloud 4.7 or later cluster
- IBM Cloud Cloud Object Storage Instance and existing bucket
Minimum required permissions
- Viewer platform access role and the Writer service access role for the cluster in IBM Cloud IAM for Kubernetes Service
- The iam-identity.profile.create and iam-identity.profile.linkToResource actions for the IAM identity service
Step 1: Create the trusted profile
The profile provides the link between compute resources and the access policies:
- Go to Manage > Access (IAM) in the IBM Cloud console and select Trusted profiles.
- Click Create +.
- Name the profile "Kubernetes COS Profile".
- Click Create.
- Select Details and note the Profile ID for later.
Step 2: Add a trust relationship to the trusted profile
The trust relationship identifies which actors have access to the defined policies:
- From the Trust relationship tab, select Add + under Compute resources.
- For compute service, select the service for your cluster: Kubernetes (for IBM Cloud Kubernetes Service) or Red Hat OpenShift on IBM Cloud.
- For compute resource, select Specific resources.
- Click Add a resource +.
- For allow access to, select your cluster.
- For Namespace and Service account, enter "default".
- Click Save.
Step 3: Add access policies to the trusted profile
The access policies define which IBM Cloud resources can be accessed and how they can be used:
- From the Access policies tab, click Assign access +.
- Select IAM services.
- Select Cloud Object Storage from the list of services.
- Scope the access to the option Resources based on selected attributes.
- Select Service Instance and select your Cloud Object Storage instance.
- For Service access, select Object Writer.
- Click Add +.
- Click Assign.
Step 4: Create a pod configuration file
- In the
volumessection, set up the service account volume:
- In the
containerssection, mount the volume:
- In the
envsection, set the trusted profile id:
- In the
envsection, set the COS variables:
This should result in your definition file looking similar to the following:
Note that the pod's namespace and service account must match the values specified in the trust relationship of the trusted profile. In our example, we are using the value, "default," for both.
In this pod definition example, we are using a base Ubuntu image and installing the
curl to help run the commands in the following steps.
Step 5: Deploy your application
- Deploy your app to your cluster:
- Verify the pod is healthy and in a running state:
Step 6: Store an object to COS using the service account token
- Exec into the pod:
- View the service account token:
- Capture the service account token in a variable:
- Exchange the service account token for a bearer token:
- Capture the bearer token in a variable:
- Call the COS endpoint to store an object:
Step 7: Verify the data is stored in COS
If all the commands from the previous step completed successfully, go into your Cloud Object Storage instance and verify that the object exists and contains the txt "hello world."
You've now successfully enabled and configured your cluster to use trusted profiles with IBM Cloud Object Storage. You can find additional information about this topic in the following IBM Cloud documentation: