Amazon Web Services

This page describes the authentication options for Amazon Web Services (AWS).

For AWS, we currently support the following authentication methods:

• Access Key Authentication
• IAM Service Account

AWS Credentials

AWS Credentials are defined in the .spec.aws field of the Credentials resource.

It can be used in combination with the following resources:

• S3 Storage

Configuring Access Key Authentication

To use access key authentication, configure the accessKeyIdFrom and secretAccessKeyFrom fields in AWS Credentials.

The accessKeyIdFrom and secretAccessKeyFrom fields can be set to a SecretKeySelector that references a Kubernetes Secret .

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: aws-creds
spec:
  aws:
    description: "Access key authentication for AWS" # Optional description
    accessKeyIdFrom:
      secretKeyRef:
        name: aws-creds          # Name of the secret below
        key: accessKeyId         # References the access key id in the secret
    secretAccessKeyFrom:
      secretKeyRef:
        name: aws-creds          # Name of the secret below
        key: secretAccessKey     # References the secret access key in the secret

And here is the corresponding secret:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-creds
data:
  accessKeyId: dGhla2V5aWQ= # thekeyid
  secretAccessKey: dGhlU2VjcmV0S2V5 # theSecretKey

IAM Service Account Authentication

A Kubernetes ServiceAccount (SA) can be attached to provide a specific identity to the processes running within the pods.

This configuration is primarily used to enable Workload Identity, where the Kubernetes ServiceAccount is mapped to a cloud provider IAM role. This mechanism allows pods to securely access external systems, such as cloud storage, without the need for managing static secrets or credentials.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account

Then on the Armory resource, configure the service account.

Backup

apiVersion: io.kannika/v1alpha
kind: Backup
metadata:
  name: backup
spec:
  source: "kafka"
  sink: "storage"
  serviceAccountName: "my-service-account"

Restore

apiVersion: io.kannika/v1alpha
kind: Restore
metadata:
  name: restore
spec:
  source: "storage"
  sink: "kafka"
  serviceAccountName: "my-service-account"

SchemaRegistryBackup

apiVersion: io.kannika/v1alpha
kind: SchemaRegistryBackup
metadata:
  name: backup
spec:
  storage: "storage"
  registry: "schema-registry"
  serviceAccountName: "my-service-account"

SchemaRegistryRestore

apiVersion: io.kannika/v1alpha
kind: SchemaRegistryRestore
metadata:
  name: restore
spec:
  storage: "storage"
  registry: "schema-registry"
  serviceAccountName: "my-service-account"

Note

Workload Identity support is currently limited to Storage integrations. Armory does not support workload identity for Kafka at this time. Native authentication methods must be used instead, as detailed in the Kafka Authentication section.