Authorizing resources with IAM trusted profiles
Virtual Private Cloud Classic infrastructure Satellite
Learn how to setup access to or for your resources by using trusted profiles.
You can enable IAM trusted profiles by running the ibmcloud ks cluster master refresh command.
- In IAM
- Start by creating an IAM trusted profile. Then, link the trusted profile with your IBM Cloud Kubernetes Service compute resource by selecting conditions to match with your clusters, including a Kubernetes namespace and service account in the clusters. Finally, assign access policies to the IBM Cloud services that you want your apps to use.
- In your cluster
- Through Kubernetes service account token volume projection, the apps that run in your linked cluster's Kubernetes namespace and use the namespace's service account can exchange the service account public key to get an IBM Cloud IAM access token. Your app can use this access token to authenticate API requests to IBM Cloud services, such as databases, Watson, or VPC infrastructure. Through the access policies of the trusted profile, you control what actions the token lets the app perform.
Creating an IAM trusted profile
To create a trusted profile in your account, see Creating trusted profiles in the IAM documentation. Note that to create a trusted profile, you must be the account owner. Additionally, the following access roles are required.
- Administrator role for all account management services.
- Administrator role on the IAM Identity Service. For more information, see IAM Identity Service.
- Additional roles required for your specific resources and components.
Set the default trusted profile for the cluster
To set a trusted profile for a single cluster, run the ibmcloud ks experimental trusted-profile set command.
If you want all the clusters in a resource group to use the same trusted profile, run the ibmcloud ks experimental trusted-profile default set command.
Get the details of your trusted profile
To get the default trusted profile for clusters in the same resource group, run the ibmcloud ks experimental trusted-profile default get command.
Configure your application pods to authenticate with IBM Cloud services
Give application pods that run in your IBM Cloud® Kubernetes Service cluster access to IBM Cloud services by using trusted profiles in IBM Cloud Identity and Access Management (IAM). As a developer, you can configure your application pods to authenticate with IBM Cloud services in clusters that are linked to an IAM trusted profile set up.
To complete these steps, you do not need to have the administrator access role. However, you must meet the following requirements: Viewer platform access
role; Writer service access role for the cluster in IBM Cloud IAM for Kubernetes Service; the iam-identity.profile.create and iam-identity.profile.linkToResource actions for the IAM identity service.
Before you begin:
- Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
- Make sure that your account administrator created an IAM trusted profile for your cluster.
To configure your application pods to authenticate with IBM Cloud services:
-
Design your pod configuration file to use service account token volume projection.
-
In the
containerssection, mount the identity token in thevolumeMountssection.... volumeMounts: - mountPath: /var/run/secrets/tokens name: sa-token -
In the
volumessection, set up the service account token volume projection.Modify the
expirationSecondsfield to control how long the token is valid for. To retrieve IAM tokens, the service account token expiration must be 1 hour or less.... volumes: - name: sa-token projected: sources: - serviceAccountToken: path: sa-token expirationSeconds: 3600 audience: iam ...
-
-
Design your app to exchange the service account projected token for an IAM token that you can use for subsequent API calls to IBM Cloud services. Review the following example authentication request. Replace
${profile_id}with the ID of the trusted profile that the cluster is linked to. To list available profile IDs, you or the account administrator can use theibmcloud iam tpscommand, theGET 'https://iam.cloud.ibm.com/v1/profiles/?account_id=<account_id>', or you can view the trusted profiles in the IAM console.curl -s -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Accept: application/json" \ -d grant_type=urn:ibm:params:oauth:grant-type:cr-token \ -d cr_token=$(cat /var/run/secrets/tokens/sa-token) \ -d profile_id=${profile_id} \ https://iam.cloud.ibm.com/identity/token -
Before your app is deployed, try the following example Kubernetes job to test the token exchange. In the following Kubernetes job, a
curlpod makes an API request to IBM Cloud IAM to verify that the cluster's public key is exchanged for an IAM access token. Your app might call other IBM Cloud services that the trusted profile authorizes.apiVersion: batch/v1 kind: Job metadata: name: token-exchange-job namespace: default spec: template: spec: containers: - name: curl image: curlimages/curl:7.77.0 command: ["/bin/sh"] args: ["-c", "curl -s -H \"Content-Type: application/x-www-form-urlencoded\" -H \"Accept: application/json\" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$(cat /var/run/secrets/tokens/sa-token) -d profile_id=<profile_id> https://iam.cloud.ibm.com/identity/token"] volumeMounts: - mountPath: /var/run/secrets/tokens name: sa-token restartPolicy: Never serviceAccountName: default volumes: - name: sa-token projected: sources: - serviceAccountToken: path: sa-token expirationSeconds: 3600 audience: iam -
Deploy the job.
kubectl apply -f exchange-job.yaml -
Review the job details to verify it was successful.
kubectl describe job token-exchange-job -
Review the output for the
job completedandsucceededmessages to verify the job was a success. -
If the job succeeded, check your Activity Tracker global events in Frankfurt to verify the log line with details on the Trusted Profile request. If the job failed, review your configuration and try again.