Map Cloud IAM to Kubernetes Service Accounts
Cloud providers make it relatively easy to map kubernetes
Service Account resources to cloud IAM roles and accounts which avoids having to expose secrets to access cloud resources which simplifies things and makes your applications more secure.
On AWS use IAM roles for service accounts (IRSA)
On GCP use Workload Identity (WLI)
In both cases this maps cloud IAM roles to kubernetes
ServiceAccount resources using annotations.
This means that you don’t have to populate your kubernetes cluster with cluster-admin style cloud IAM secrets - which makes your system more secure and reduces the possibility of accidentally exposing a secret.
Note that if you use Jenkins X to configure your clusters with Terraform and GitOps then you get this out of the box!
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.