Warning
This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.
Configuring Identity Federation with Public Cloud Services
The keys used for accessing public cloud resources are strong authentication credentials, and unauthorized removal poses significant security risks. To enable access to public cloud resources without transferring these keys, PFCP supports identity federation with public cloud providers. Through identity federation, permissions for the public cloud are granted to Kubernetes ServiceAccounts, allowing secure access.
This section provides instructions for establishing identity federation connections with two major public cloud providers: Amazon Web Services (AWS) and Google Cloud.
Configuring with AWS
AWS-Side Configuration
-
Refer to the AWS documentation Creating an OpenID Connect (OIDC) Identity Provider in IAM - AWS Identity and Access Management to create an OIDC provider within your target AWS account. 1
- For the provider URL, refer to the Region and Compute Node documentation.
- Allowed audience:
sts.amazonaws.com
-
Create an IAM role to be used for accessing AWS. This IAM role will be linked to the Kubernetes ServiceAccount through identity federation.
-
Configure a trust policy specifying the Kubernetes ServiceAccount that should assume this role to enable federation-based linking (see documentation):
{ "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Principal": { // Specify the ARN of the OIDC provider created in the previous step. "Federated": "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.<pfcp_cluster>.kubernetes.pfcomputing.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { // Specify the name of the Kubernetes ServiceAccount to assume this role. "token.<pfcp_cluster>.kubernetes.pfcomputing.com:sub": "system:serviceaccount:<namespace>:<serviceaccount>" } } }] }Warning
Ensure you properly configure the Condition section. Failure to do so will grant permissions to all ServiceAccounts, including those from other organizations.
-
By default, AWS enables audit logging for identity federation through Cloud Trail and retains logs for 90 days. To extend retention beyond 90 days, refer to Creating a Trail for Your AWS Account - AWS CloudTrail and modify the settings accordingly.
Kubernetes Cluster-Side Configuration
-
Specify the AWS IAM role to be assigned to the ServiceAccount in the ServiceAccount annotations:
apiVersion: v1 kind: ServiceAccount metadata: name: foo annotations: aws.id-federation.preferred.jp/role-arn: "arn:aws:iam::{aws_account_id}:role/{role}" -
When creating Pods, specify this ServiceAccount in the
.spec.serviceAccountNamefield. Using AWS SDKs within the Pod will grant access to AWS via the AWS IAM Role associated with the ServiceAccount. The session token expires after 1 hour and will be automatically refreshed as long as the AWS SDK remains in use. -
Verify the configuration by checking:
- The IAM role currently used by the Pod:
$ kubectl get po <pod> -o yaml | grep AWS_ROLE_ARN: AWS_ROLE_ARN: arn:aws:iam::861856390547:role/id-federation-test-sr1-01 - The presence of a web identity token file mounted in the Pod:
$ kubectl get po <pod> -o yaml | grep AWS_WEB_IDENTITY_TOKEN_FILE: AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/sts.amazonaws.com/serviceaccount/token
- The IAM role currently used by the Pod:
Configuring with Google Cloud
PFCP deploys gcp-workload-identity-federation-webhook, which can be used to configure identity federation with Google Cloud.
Google Cloud-Side Configuration
Refer to Configuring Workload Identity Integration with Kubernetes | IAM Documentation | Google Cloud and perform the following setup:
-
Create a Workload Identity pool and provider within the Google Cloud project you wish to access.
- For the provider URL, refer to the Region and Compute Node documentation. 1
-
Create a Google IAM service account to be used for accessing Google Cloud and grant it necessary permissions for the target resources. This service account will be linked to the Kubernetes ServiceAccount through identity federation.
-
To enable federation-based linking, assign the Workload Identity user role (
roles/iam.workloadIdentityUser) to the above Google IAM service account. When specifying members, limit permission to only the Kubernetes ServiceAccount by including the following:principal://iam.googleapis.com/projects/<Google Cloud project ID> \ /locations/global/workloadIdentityPools/<ID of created Workload Identity pool> \ /subject/<cluster's provider URL>::system:serviceaccount:<Kubernetes ServiceAccount Namespace>:<Kubernetes ServiceAccount Name>
Kubernetes Cluster-Side Configuration
-
In the ServiceAccount annotations, configure the following values: the Workload Identity provider, the IAM service account to be assumed, and the expected audience value required by the Workload Identity provider.
apiVersion: v1 kind: ServiceAccount metadata: annotations: googlecloud.id-federation.preferred.jp/workload-identity-provider: |- projects/<Google Cloud project ID>/locations/global/workloadIdentityPools/<ID of created Workload Identity pool>/providers/<ID of created Workload Identity pool provider> googlecloud.id-federation.preferred.jp/service-account-email: |- <Google IAM service account name>@<Google Cloud project name>.iam.gserviceaccount.com googlecloud.id-federation.preferred.jp/audience: <Expected audience value for Workload Identity provider> -
When creating Pods, specify this ServiceAccount in the
.spec.serviceAccountNamefield. Using Google Cloud SDKs within the Pod will automatically access Google Cloud using the Google IAM service account linked to the specified ServiceAccount. The credentials default to 24-hour validity and will be automatically refreshed as long as the Google Cloud SDK remains in use.
For more detailed information, please refer to the README for the gcp-workload-identity-federation-webhook.