How to enable and configure your cluster to use trusted profiles.

Authenticating to IBM Cloud resources

Developing effective solutions using IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud can require the use of other IBM Cloud resources. For example, an application may generate a result that needs to be stored in IBM Cloud Object Storage (COS) for future analysis. To store data in COS, proper IBM Cloud Identity and Access Management (IAM) authentication is required. 

This is typically accomplished by creating an API key that is stored in the cluster as a secret. There are a couple of drawbacks to this approach. First, the key is stored on the cluster and can be viewed by anyone with enough authority to the cluster. Second, the key must be managed according to security policies, which often must be rotated periodically.

Using trusted profiles

An alternative approach is to use trusted profiles, which provide a flexible, secure way to authorize compute resources (such as pods running in your cluster) to other IBM Cloud resources. Once the profile is created, an application can utilize a service account token projected into the pod to authenticate to IAM. The token is generated on supported clusters through the Kubernetes service account token volume projection feature.

The generated tokens can only be used on compute resources that match the trusted profile. Therefore, even if the token is leaked, it cannot be used on other compute resources. Also, the token is refreshed hourly, so unlike an API key in a secret, it does not need to be rotated.

Step-by-step instructions for writing to Cloud Object Storage from a Kubernetes cluster

Prerequisites

• IBM Cloud Kubernetes Service 1.21 or later cluster or Red Hat OpenShift on IBM Cloud 4.7 or later cluster
• IBM Cloud Cloud Object Storage Instance and existing bucket

Minimum required permissions

• Viewer platform access role and the Writer service access role for the cluster in IBM Cloud IAM for Kubernetes Service
• The iam-identity.profile.create and iam-identity.profile.linkToResource actions for the IAM identity service

Step 1: Create the trusted profile

The profile provides the link between compute resources and the access policies:

1. Go to Manage > Access (IAM) in the IBM Cloud console and select Trusted profiles.
2. Click Create +.
3. Name the profile “Kubernetes COS Profile”.
4. Click Create.
5. Select Details and note the Profile ID for later.

Step 2: Add a trust relationship to the trusted profile

The trust relationship identifies which actors have access to the defined policies:

1. From the Trust relationship tab, select Add + under Compute resources.
2. For compute service, select the service for your cluster: Kubernetes (for IBM Cloud Kubernetes Service) or Red Hat OpenShift on IBM Cloud.
3. For compute resource, select Specific resources.
4. Click Add a resource +.
5. For allow access to, select your cluster.
6. For Namespace and Service account, enter “default”.
7. Click Save.

Step 3: Add access policies to the trusted profile

The access policies define which IBM Cloud resources can be accessed and how they can be used:

1. From the Access policies tab, click Assign access +.
2. Select IAM services.
3. Select Cloud Object Storage from the list of services.
4. Scope the access to the option Resources based on selected attributes.
5. Select Service Instance and select your Cloud Object Storage instance.
6. For Service access, select Object Writer.
7. Click Add +.
8. Click Assign.

Step 4: Create a pod configuration file

1. In the volumes section, set up the service account volume:

     volumes:
     - name: service-account-volume
       projected:
         sources:
         - serviceAccountToken:
             path: service-account-token

2. In the containers section, mount the volume:

         volumeMounts:
         - mountPath: /var/run/secrets/tokens
           name: service-account-volume

3. In the env section, set the trusted profile id:

         env:
         - name: TRUSTED_PROFILE_ID
           value: "Profile-5790481a-8fc5-46a4-bae3-d0e64ff6e0ad"

4. In the env section, set the COS variables:

         - name: COS_ENDPOINT
           value: "https://s3.us-south.cloud-object-storage.appdomain.cloud"
         - name: COS_BUCKET
           value: "rkc-prod-cos-bucket-1"
         - name: COS_OBJECT
           value: "trusted-profile-object.txt"

This should result in your definition file looking similar to the following:

kind: Pod
apiVersion: v1
metadata:
  name: trusted-profile-pod
spec:
  containers:
    - name: trusted-profile
      image: ubuntu
      command: ["/bin/bash", "-ec", "apt -qy update && apt -qy upgrade && apt -qy install curl jq; while :; do echo '.'; sleep 5 ; done"]
      volumeMounts:
      - mountPath: /var/run/secrets/tokens
        name: service-account-volume
      env:
      - name: TRUSTED_PROFILE_ID
        value: "Profile-5790481a-8fc5-46a4-bae3-d0e64ff6e0ad"
      - name: COS_ENDPOINT
        value: "https://s3.us-south.cloud-object-storage.appdomain.cloud"
      - name: COS_BUCKET
        value: "rkc-prod-cos-bucket-1"
      - name: COS_OBJECT
        value: "trusted-profile-object.txt"
  serviceAccountName: default
  volumes:
  - name: service-account-volume
    projected:
      sources:
      - serviceAccountToken:
          path: service-account-token
  restartPolicy: Never

Note that the pod’s namespace and service account must match the values specified in the trust relationship of the trusted profile. In our example, we are using the value, “default,” for both.

In this pod definition example, we are using a base Ubuntu image and installing the jq and curl to help run the commands in the following steps.

Step 5: Deploy your application

1. Deploy your app to your cluster:

   $ kubectl apply -f trusted-profile-pod.yaml

2. Verify the pod is healthy and in a running state:

   $ kubectl get pods
   NAME                  READY   STATUS    RESTARTS   AGE
   trusted-profile-pod   1/1     Running   0          20m

Step 6: Store an object to COS using the service account token

1. Exec into the pod:

   $ kubectl exec -it trusted-profile-pod -- bash

2. View the service account token: /var/run/secrets/tokens/service-account-token:

   $ cat /var/run/secrets/tokens/service-account-token

3. Capture the service account token in a variable:

   $ CRTOKEN=$(cat /var/run/secrets/tokens/service-account-token)

4. Exchange the service account token for a bearer token:

   $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$CRTOKEN -d profile_id=$TRUSTED_PROFILE_ID "https://iam.cloud.ibm.com/identity/token"

5. Capture the bearer token in a variable:

   $ TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$CRTOKEN -d profile_id=$TRUSTED_PROFILE_ID "https://iam.cloud.ibm.com/identity/token" | jq .access_token -r)

6. Call the COS endpoint to store an object:

   $ curl -X "PUT" $COS_ENDPOINT/$COS_BUCKET/$COS_OBJECT -H "Authorization: bearer $TOKEN" -H "Content-Type: text/plain" -d "hello world"

Step 7: Verify the data is stored in COS

If all the commands from the previous step completed successfully, go into your Cloud Object Storage instance and verify that the object exists and contains the txt “hello world.” 

More information

You’ve now successfully enabled and configured your cluster to use trusted profiles with IBM Cloud Object Storage. You can find additional information about this topic in the following IBM Cloud documentation:

• Creating trusted profiles
• Authorizing pods in your Kubernetes cluster to IBM Cloud services with IAM trusted profiles
• Authorizing pods in your Managed OpenShift cluster to IBM Cloud services with IAM trusted profiles