IAM Service Account

A Kubernetes ServiceAccount (SA) can be attached to provide a specific identity to the processes running within the pods.

This configuration is primarily used to enable Workload Identity, where the Kubernetes ServiceAccount is mapped to a cloud provider IAM role. This mechanism allows pods to securely access external systems, such as cloud storage, without the need for managing static secrets or credentials.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account

Then on the Armory resource, configure the service account.

Backup

apiVersion: io.kannika/v1alpha
kind: Backup
metadata:
  name: backup
spec:
  source: "kafka"
  sink: "storage"
  serviceAccountName: "my-service-account"

Restore

apiVersion: io.kannika/v1alpha
kind: Restore
metadata:
  name: restore
spec:
  source: "storage"
  sink: "kafka"
  serviceAccountName: "my-service-account"

SchemaRegistryBackup

apiVersion: io.kannika/v1alpha
kind: SchemaRegistryBackup
metadata:
  name: backup
spec:
  storage: "storage"
  registry: "schema-registry"
  serviceAccountName: "my-service-account"

SchemaRegistryRestore

apiVersion: io.kannika/v1alpha
kind: SchemaRegistryRestore
metadata:
  name: restore
spec:
  storage: "storage"
  registry: "schema-registry"
  serviceAccountName: "my-service-account"

Note

Workload Identity support is currently limited to Storage integrations. Armory does not support workload identity for Kafka at this time. Native authentication methods must be used instead, as detailed in the Kafka Authentication section.