Amazon Web Services

This page describes the authentication options for Amazon Web Services (AWS).

For AWS, we currently support the following authentication methods:

Access Key Authentication
IAM Service Account

AWS Credentials

AWS Credentials are defined in the .spec.aws field of the Credentials resource.

It can be used in combination with the following resources:

S3 Storage

Configuring Access Key Authentication

To use access key authentication, configure the accessKeyIdFrom and secretAccessKeyFrom fields in AWS Credentials.

The accessKeyIdFrom and secretAccessKeyFrom fields can be set to a SecretKeySelector that references a Kubernetes Secret .

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: aws-creds
spec:
  aws:
    description: "Access key authentication for AWS" # Optional description
    accessKeyIdFrom:
      secretKeyRef:
        name: aws-creds          # Name of the secret below
        key: accessKeyId         # References the access key id in the secret
    secretAccessKeyFrom:
      secretKeyRef:
        name: aws-creds          # Name of the secret below
        key: secretAccessKey     # References the secret access key in the secret

And here is the corresponding secret:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: aws-creds
data:
  accessKeyId: dGhla2V5aWQ= # thekeyid
  secretAccessKey: dGhlU2VjcmV0S2V5 # theSecretKey

IAM Service Account Authentication

It is possible to attach a Kubernetes ServiceAccount (SA) to a Backup Pod or to a Restore Pod. A ServiceAccount is used to provide an identity for processes that run in a Pod. The identity is used to determine what resources the process has access to.

This is useful when the Kubernetes cluster runs on a cloud provider that supports Workload Identity, where the ServiceAccount is mapped to an IAM role that has the necessary permissions to access the external system.

Please check the Backup Pod Configuration and the Restore Pod Configuration sections on how to attach a ServiceAccount.