Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Configuring Identity Federation with Public Cloud Services

The keys used for accessing public cloud resources are strong authentication credentials, and unauthorized removal poses significant security risks. To enable access to public cloud resources without transferring these keys, PFCP supports identity federation with public cloud providers. Through identity federation, permissions for the public cloud are granted to Kubernetes ServiceAccounts, allowing secure access.

This section provides instructions for establishing identity federation connections with two major public cloud providers: Amazon Web Services (AWS) and Google Cloud.

Configuring with AWS

AWS-Side Configuration

  1. Refer to the AWS documentation Creating an OpenID Connect (OIDC) Identity Provider in IAM - AWS Identity and Access Management to create an OIDC provider within your target AWS account. 1

  2. Create an IAM role to be used for accessing AWS. This IAM role will be linked to the Kubernetes ServiceAccount through identity federation.

  3. Configure a trust policy specifying the Kubernetes ServiceAccount that should assume this role to enable federation-based linking (see documentation):

    {
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                // Specify the ARN of the OIDC provider created in the previous step.
                "Federated": "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.<pfcp_cluster>.kubernetes.pfcomputing.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    // Specify the name of the Kubernetes ServiceAccount to assume this role.
                    "token.<pfcp_cluster>.kubernetes.pfcomputing.com:sub": "system:serviceaccount:<namespace>:<serviceaccount>"
                }
            }
        }]
    }
    

    Warning

    Ensure you properly configure the Condition section. Failure to do so will grant permissions to all ServiceAccounts, including those from other organizations.

  4. By default, AWS enables audit logging for identity federation through Cloud Trail and retains logs for 90 days. To extend retention beyond 90 days, refer to Creating a Trail for Your AWS Account - AWS CloudTrail and modify the settings accordingly.

Kubernetes Cluster-Side Configuration

  1. Specify the AWS IAM role to be assigned to the ServiceAccount in the ServiceAccount annotations:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: foo
      annotations:
        aws.id-federation.preferred.jp/role-arn: "arn:aws:iam::{aws_account_id}:role/{role}"
    
  2. When creating Pods, specify this ServiceAccount in the .spec.serviceAccountName field. Using AWS SDKs within the Pod will grant access to AWS via the AWS IAM Role associated with the ServiceAccount. The session token expires after 1 hour and will be automatically refreshed as long as the AWS SDK remains in use.

  3. Verify the configuration by checking:

    • The IAM role currently used by the Pod:
      $ kubectl get po <pod> -o yaml | grep AWS_ROLE_ARN:
          AWS_ROLE_ARN:                 arn:aws:iam::861856390547:role/id-federation-test-sr1-01
      
    • The presence of a web identity token file mounted in the Pod:
      $ kubectl get po <pod> -o yaml | grep AWS_WEB_IDENTITY_TOKEN_FILE:
          AWS_WEB_IDENTITY_TOKEN_FILE:  /var/run/secrets/sts.amazonaws.com/serviceaccount/token
      

Configuring with Google Cloud

PFCP deploys gcp-workload-identity-federation-webhook, which can be used to configure identity federation with Google Cloud.

Google Cloud-Side Configuration

Refer to Configuring Workload Identity Integration with Kubernetes | IAM Documentation | Google Cloud and perform the following setup:

  1. Create a Workload Identity pool and provider within the Google Cloud project you wish to access.

  2. Create a Google IAM service account to be used for accessing Google Cloud and grant it necessary permissions for the target resources. This service account will be linked to the Kubernetes ServiceAccount through identity federation.

  3. To enable federation-based linking, assign the Workload Identity user role (roles/iam.workloadIdentityUser) to the above Google IAM service account. When specifying members, limit permission to only the Kubernetes ServiceAccount by including the following:

    principal://iam.googleapis.com/projects/<Google Cloud project ID> \
    /locations/global/workloadIdentityPools/<ID of created Workload Identity pool> \
    /subject/<cluster's provider URL>::system:serviceaccount:<Kubernetes ServiceAccount Namespace>:<Kubernetes ServiceAccount Name>
    

Kubernetes Cluster-Side Configuration

  1. In the ServiceAccount annotations, configure the following values: the Workload Identity provider, the IAM service account to be assumed, and the expected audience value required by the Workload Identity provider.

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      annotations:
        googlecloud.id-federation.preferred.jp/workload-identity-provider: |-
          projects/<Google Cloud project ID>/locations/global/workloadIdentityPools/<ID of created Workload Identity pool>/providers/<ID of created Workload Identity pool provider>
        googlecloud.id-federation.preferred.jp/service-account-email: |-
          <Google IAM service account name>@<Google Cloud project name>.iam.gserviceaccount.com
        googlecloud.id-federation.preferred.jp/audience: <Expected audience value for Workload Identity provider>
    
  2. When creating Pods, specify this ServiceAccount in the .spec.serviceAccountName field. Using Google Cloud SDKs within the Pod will automatically access Google Cloud using the Google IAM service account linked to the specified ServiceAccount. The credentials default to 24-hour validity and will be automatically refreshed as long as the Google Cloud SDK remains in use.

For more detailed information, please refer to the README for the gcp-workload-identity-federation-webhook.


  1. If you are using multiple PFCP clusters, separate configuration is required for each cluster. ↩2