Amazon Web Services
This page describes the authentication options for Amazon Web Services (AWS).
For AWS, we currently support the following authentication methods:
AWS Credentials
Section titled “AWS Credentials”AWS Credentials are defined in the .spec.aws field of the Credentials resource.
It can be used in combination with the following resources:
Configuring Access Key Authentication
Section titled “Configuring Access Key Authentication”To use access key authentication,
configure the accessKeyIdFrom and secretAccessKeyFrom fields in AWS Credentials.
The accessKeyIdFrom and secretAccessKeyFrom fields can be set to a
SecretKeySelector
that references a
Kubernetes Secret .
apiVersion: kannika.io/v1alphakind: Credentialsmetadata: name: aws-credsspec: aws: description: "Access key authentication for AWS" # Optional description accessKeyIdFrom: secretKeyRef: name: aws-creds # Name of the secret below key: accessKeyId # References the access key id in the secret secretAccessKeyFrom: secretKeyRef: name: aws-creds # Name of the secret below key: secretAccessKey # References the secret access key in the secretAnd here is the corresponding secret:
apiVersion: v1kind: Secrettype: Opaquemetadata: name: aws-credsdata: accessKeyId: dGhla2V5aWQ= # thekeyid secretAccessKey: dGhlU2VjcmV0S2V5 # theSecretKeyIAM Service Account Authentication
Section titled “IAM Service Account Authentication”It is possible to attach a Kubernetes ServiceAccount (SA) to a Backup Pod or to a Restore Pod. A ServiceAccount is used to provide an identity for processes that run in a Pod. The identity is used to determine what resources the process has access to.
This is useful when the Kubernetes cluster runs on a cloud provider that supports Workload Identity, where the ServiceAccount is mapped to an IAM role that has the necessary permissions to access the external system.
Please check the Backup Pod Configuration and the Restore Pod Configuration sections on how to attach a ServiceAccount.