A newer version of Hazelcast Operator is available.

View latest

Authorization Methods to Access Cloud Storage

You can use either a secret or Service Accounts to access your cloud storage, as detailed below.

Using Secrets

You can create a secret to access cloud provider resources. You can find the secret creation examples for different cloud providers in the next sections:

Accessing Resources on AWS

kubectl create secret generic <secret-name> \
--from-literal=region=<region> \
--from-literal=access-key-id=<access-key-id> \
--from-literal=secret-access-key=<secret-access-key>

See AWS Session to learn about the authentication procedure.

Accessing Resources on GCP

kubectl create secret generic <secret-name> \
	--from-file=google-credentials-path=<service_account_json_file>

See Application Default Credentials to learn about the authentication procedure.

Accessing Resources on Azure

kubectl create secret generic <secret-name> \
	--from-literal=storage-account=<storage-account> \
	--from-literal=storage-key=<storage-key>

See Azure Storage Account Keys to learn about the authentication procedure.

Using Service Accounts

You can use Service Accounts to access cloud provider resources without providing secretName in HotBackup, JetJob, UCN custom resources. To use this approach, you must provide serviceAccountName in your Hazelcast CR.

Example of Service Account Configuration
apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
  serviceAccountName: myServiceAccount

Accessing GCP Resources using Workload Identity

Google Kubernetes Engine (GKE) Workload Identity is a feature that allows you to map a Kubernetes Service Account to a Google Cloud IAM (Identity and Access Management) Service Account so that users can manage pods permissions using IAM.

Create a Service Account using the following command:

kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE>

To use it, you must annotate the service account you created with the following command:

kubectl annotate serviceaccount myServiceAccount \
--namespace <NAMESPACE> \
iam.gke.io/gcp-service-account=<GCP_SA_NAME>@<GCP_PROJECT>.iam.gserviceaccount.com

See Service Accounts to learn more about it.

Accessing AWS Resources using IAM Roles for Service Accounts

IAM roles for service accounts is a feature that allows you to map a Kubernetes Service Account to an AWS IAM Role so that users can manage pods permissions using IAM.

Create a Service Account using the following command:

kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE>

To use it, you must annotate the service account you created with the following command:

kubectl annotate serviceaccount myServiceAccount \
--namespace <NAMESPACE> \
eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/my-role

See IAM Roles for Service Accounts to learn more about it.