March 2, 2022 By Ryan Cradick 4 min read

How to enable and configure your cluster to use trusted profiles.

Authenticating to IBM Cloud resources

Developing effective solutions using IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud can require the use of other IBM Cloud resources. For example, an application may generate a result that needs to be stored in IBM Cloud Object Storage (COS) for future analysis. To store data in COS, proper IBM Cloud Identity and Access Management (IAM) authentication is required. 

This is typically accomplished by creating an API key that is stored in the cluster as a secret. There are a couple of drawbacks to this approach. First, the key is stored on the cluster and can be viewed by anyone with enough authority to the cluster. Second, the key must be managed according to security policies, which often must be rotated periodically.

Using trusted profiles

An alternative approach is to use trusted profiles, which provide a flexible, secure way to authorize compute resources (such as pods running in your cluster) to other IBM Cloud resources. Once the profile is created, an application can utilize a service account token projected into the pod to authenticate to IAM. The token is generated on supported clusters through the Kubernetes service account token volume projection feature.

The generated tokens can only be used on compute resources that match the trusted profile. Therefore, even if the token is leaked, it cannot be used on other compute resources. Also, the token is refreshed hourly, so unlike an API key in a secret, it does not need to be rotated.

Step-by-step instructions for writing to Cloud Object Storage from a Kubernetes cluster

Prerequisites

  • IBM Cloud Kubernetes Service 1.21 or later cluster or Red Hat OpenShift on IBM Cloud 4.7 or later cluster
  • IBM Cloud Cloud Object Storage Instance and existing bucket

Minimum required permissions

  • Viewer platform access role and the Writer service access role for the cluster in IBM Cloud IAM for Kubernetes Service
  • The iam-identity.profile.create and iam-identity.profile.linkToResource actions for the IAM identity service

Step 1: Create the trusted profile

The profile provides the link between compute resources and the access policies:

  1. Go to Manage > Access (IAM) in the IBM Cloud console and select Trusted profiles.
  2. Click Create +.
  3. Name the profile “Kubernetes COS Profile”.
  4. Click Create.
  5. Select Details and note the Profile ID for later.

Step 2: Add a trust relationship to the trusted profile

The trust relationship identifies which actors have access to the defined policies:

  1. From the Trust relationship tab, select Add + under Compute resources.
  2. For compute service, select the service for your cluster: Kubernetes (for IBM Cloud Kubernetes Service) or Red Hat OpenShift on IBM Cloud.
  3. For compute resource, select Specific resources.
  4. Click Add a resource +.
  5. For allow access to, select your cluster.
  6. For Namespace and Service account, enter “default”.
  7. Click Save.

Step 3: Add access policies to the trusted profile

The access policies define which IBM Cloud resources can be accessed and how they can be used:

  1. From the Access policies tab, click Assign access +.
  2. Select IAM services.
  3. Select Cloud Object Storage from the list of services.
  4. Scope the access to the option Resources based on selected attributes.
  5. Select Service Instance and select your Cloud Object Storage instance.
  6. For Service access, select Object Writer.
  7. Click Add +.
  8. Click Assign.

Step 4: Create a pod configuration file

  1. In the volumes section, set up the service account volume:
      volumes:
      - name: service-account-volume
        projected:
          sources:
          - serviceAccountToken:
              path: service-account-token
  2. In the containers section, mount the volume:
          volumeMounts:
          - mountPath: /var/run/secrets/tokens
            name: service-account-volume
  3. In the env section, set the trusted profile id:
          env:
          - name: TRUSTED_PROFILE_ID
            value: "Profile-5790481a-8fc5-46a4-bae3-d0e64ff6e0ad"
  4. In the env section, set the COS variables:
          - name: COS_ENDPOINT
            value: "https://s3.us-south.cloud-object-storage.appdomain.cloud"
          - name: COS_BUCKET
            value: "rkc-prod-cos-bucket-1"
          - name: COS_OBJECT
            value: "trusted-profile-object.txt"

This should result in your definition file looking similar to the following:

kind: Pod
apiVersion: v1
metadata:
  name: trusted-profile-pod
spec:
  containers:
    - name: trusted-profile
      image: ubuntu
      command: ["/bin/bash", "-ec", "apt -qy update && apt -qy upgrade && apt -qy install curl jq; while :; do echo '.'; sleep 5 ; done"]
      volumeMounts:
      - mountPath: /var/run/secrets/tokens
        name: service-account-volume
      env:
      - name: TRUSTED_PROFILE_ID
        value: "Profile-5790481a-8fc5-46a4-bae3-d0e64ff6e0ad"
      - name: COS_ENDPOINT
        value: "https://s3.us-south.cloud-object-storage.appdomain.cloud"
      - name: COS_BUCKET
        value: "rkc-prod-cos-bucket-1"
      - name: COS_OBJECT
        value: "trusted-profile-object.txt"
  serviceAccountName: default
  volumes:
  - name: service-account-volume
    projected:
      sources:
      - serviceAccountToken:
          path: service-account-token
  restartPolicy: Never

Note that the pod’s namespace and service account must match the values specified in the trust relationship of the trusted profile. In our example, we are using the value, “default,” for both.

In this pod definition example, we are using a base Ubuntu image and installing the jq and curl to help run the commands in the following steps.

Step 5: Deploy your application

  1. Deploy your app to your cluster:
    $ kubectl apply -f trusted-profile-pod.yaml
  2. Verify the pod is healthy and in a running state:
    $ kubectl get pods
    NAME                  READY   STATUS    RESTARTS   AGE
    trusted-profile-pod   1/1     Running   0          20m

Step 6: Store an object to COS using the service account token

  1. Exec into the pod:
    $ kubectl exec -it trusted-profile-pod -- bash
  2. View the service account token: /var/run/secrets/tokens/service-account-token:
    $ cat /var/run/secrets/tokens/service-account-token
  3. Capture the service account token in a variable:
    $ CRTOKEN=$(cat /var/run/secrets/tokens/service-account-token)
  4. Exchange the service account token for a bearer token:
    $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$CRTOKEN -d profile_id=$TRUSTED_PROFILE_ID "https://iam.cloud.ibm.com/identity/token"
  5. Capture the bearer token in a variable:
    $ TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d grant_type=urn:ibm:params:oauth:grant-type:cr-token -d cr_token=$CRTOKEN -d profile_id=$TRUSTED_PROFILE_ID "https://iam.cloud.ibm.com/identity/token" | jq .access_token -r)
  6. Call the COS endpoint to store an object:
    $ curl -X "PUT" $COS_ENDPOINT/$COS_BUCKET/$COS_OBJECT -H "Authorization: bearer $TOKEN" -H "Content-Type: text/plain" -d "hello world"

Step 7: Verify the data is stored in COS

If all the commands from the previous step completed successfully, go into your Cloud Object Storage instance and verify that the object exists and contains the txt “hello world.” 

More information

You’ve now successfully enabled and configured your cluster to use trusted profiles with IBM Cloud Object Storage. You can find additional information about this topic in the following IBM Cloud documentation:

Was this article helpful?
YesNo

More from Cloud

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters