Is it possible to configure Ceph so that STS AssumeRoleWithWebIdentity
works with a Kubernetes serviceaccount token?
My goal is that a pod running in a Kubernetes cluster can call
AssumeRoleWithWebIdentity specifying an IAM role (previously created in
Ceph) and the Kubernetes oicd service account token and get back a valid
access key and secret. This would then be used to access objects in
buckets hosted by Ceph object storage. This would allow our code to run
unchanged between the cloud (S3) and on premise (Ceph providing object
storage).
Original AWS document is here -
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
Minio implementation is here -
https://min.io/docs/minio/kubernetes/upstream/developers/sts-for-operator.html
Kubernetes OIDC endpoints (Service account issuer discovery) discussed
here -
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
I have setup a Ceph role that specifies an oicd url pointing to
Kubernetes API server and passes the service token. But I still need to
enable STS in ceph I believe, and have ceph talk to Kubernetes oicd.
Before continuing though I am wondering if this setup is supported?
Thanks,
Charlie
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
