ceph-csi/examples/kms/vault/aws-sts-credentials.yaml
Rakshith R 4f0bb2315b rbd: add aws-sts-metdata encryption type
With Amazon STS and kubernetes cluster is configured with
OIDC identity provider, credentials to access Amazon KMS
can be fetched using oidc-token(serviceaccount token).
Each tenant/namespace needs to create a secret with aws region,
role and CMK ARN.
Ceph-CSI will assume the given role with oidc token and access
aws KMS, with given CMK to encrypt/decrypt DEK which will stored
in the image metdata.

Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
Resolves: #2879

Signed-off-by: Rakshith R <rar@redhat.com>
2022-03-16 07:29:56 +00:00

14 lines
487 B
YAML

---
# This is an example Kubernetes Secret that can be created in the Kubernetes
# Namespace where Ceph-CSI is deployed. The contents of this Secret will be
# used to fetch credentials from Amazon STS and use it connect to the
# Amazon KMS.
apiVersion: v1
kind: Secret
metadata:
name: ceph-csi-aws-credentials
stringData:
awsRoleARN: "arn:aws:iam::111122223333:role/aws-sts-kms"
awsCMKARN: "arn:aws:kms:us-west-2:111123:key/1234cd-12ab-34cd-56ef-123590ab"
awsRegion: "us-west-2"