Authenticate Kanister using keyless authentication methods in Profiles #2704
Labels
Comments
|
Thanks for opening this issue 👍. The team will review it shortly. If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md. If you haven't already, please take a moment to review our project's Code of Conduct document. |
|
This issue is marked as stale due to inactivity. Add a new comment to reactivate it. CC @kanisterio/maintainers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Request
I would like to authenticate Kanister using Workload Identity (for GCP) and Open ID Connect (for AWS). This allows authentication without the management of service-account keys which improves the security of the system.
Description
This would need to be implemented as an alternative authentication method for the Profile resource. Currently for GCP it is required to provide a service-key. When using Workload Identity a reference to a Google SA and a K8s SA that are linked, should be enough to authenticate Kanister. This should work similar in AWS.
Current situation
I believe it is possible to use Workload Identity inside the Actionset when using gcloud/gutil commands in the Blueprint as stated in this issue.
Misc
Add this to the Documentation with some example.
Feel free to ask if you need any more information. Thanks in advance!
The text was updated successfully, but these errors were encountered: