Map Cloud IAM to Kubernetes Service Accounts

Simplify your setup on the cloud by mapping kubernetes Service Accounts to cloud IAM roles

Cloud providers make it relatively easy to map kubernetes Service Account resources to cloud IAM roles and accounts which avoids having to expose secrets to access cloud resources which simplifies things and makes your applications more secure.

On AWS use IAM roles for service accounts (IRSA)

On GCP use Workload Identity (WLI)

In both cases this maps cloud IAM roles to kubernetes ServiceAccount resources using annotations.

This means that you don’t have to populate your kubernetes cluster with cluster-admin style cloud IAM secrets - which makes your system more secure and reduces the possibility of accidentally exposing a secret.

Note that if you use Jenkins X to configure your clusters with Terraform and GitOps then you get this out of the box!

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 25, 2021: fix: add new blog post on using the db (e6a8687c2c)