This is a prerelease version.

View latest

Authorization methods to access cloud storage

latest-snapshot 5.16 5.15 5.14 5.13 5.12 5.11 5.10 5.9 5.8 5.7

You can use either a secret or Service Accounts to access your cloud storage.

Use secrets

You can create a secret to access cloud provider resources.

Access resources on AWS

kubectl create secret generic <secret-name> \
--from-literal=region=<region> \
--from-literal=access-key-id=<access-key-id> \
--from-literal=secret-access-key=<secret-access-key>

See AWS Session to learn about the authentication procedure.

Access resources on GCP

kubectl create secret generic <secret-name> \
	--from-file=google-credentials-path=<service_account_json_file>

See Application Default Credentials to learn about the authentication procedure.

Access resources on Azure

kubectl create secret generic <secret-name> \
	--from-literal=storage-account=<storage-account> \
	--from-literal=storage-key=<storage-key>

See Azure Storage Account Keys to learn about the authentication procedure.

Use Service Accounts

You can use Service Accounts to access cloud provider resources without providing secretName in HotBackup, JetJob, and UCN custom resources. To use this approach, you must provide serviceAccountName in your Hazelcast CR.

Example of Service Account configuration
apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
  serviceAccountName: myServiceAccount

Access GCP resources using Workload Identity

Google Kubernetes Engine (GKE) Workload Identity is a feature that allows you to map a Kubernetes Service Account to a Google Cloud IAM (Identity and Access Management) Service Account so that users can manage pods permissions using IAM.

  1. Create a Service Account:

    kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE>

  2. To use it, you must annotate the Service Account:

    kubectl annotate serviceaccount myServiceAccount \
--namespace <NAMESPACE> \
iam.gke.io/gcp-service-account=<GCP_SA_NAME>@<GCP_PROJECT>.iam.gserviceaccount.com

See Service Accounts to learn more.

Access AWS resources using IAM roles for Service Accounts

IAM roles for service accounts is a feature that allows you to map a Kubernetes Service Account to an AWS IAM role so that users can manage pods permissions using IAM.

  1. Create a Service Account:

    kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE>

  2. To use it, you must annotate the Service Account:

    kubectl annotate serviceaccount myServiceAccount \
--namespace <NAMESPACE> \
eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/my-role

See IAM Roles for Service Accounts to learn more.

Help and support