Managed Identities

Applies to both Digital Enterprise Suite and Digital Distributed Container deployments.

Service account based deployment provides access to managed identities to talk to cloud provider services. It is based on individual cloud provider features and currently supported ones are:

Managed identities essentially allow to externally configure access rights for the service account and by that any service (process, decision, case) running in given DDC inherits these rights.

At the same time, managed identity does not expose any credentials as they are obtained internally and are based on short-lived access tokens.

Before managed identity can be enabled and administrator needs to configure the execution environment according to the official documentation of the cloud provider.

Defining a Service Account

Once configured, for each of the provider, a ServiceAccount kubernetes object need to be created.

AWS IAM Roles for Service Accounts (IRSA)

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: <ROLE_ARN>
  name: "<SERVICE_ACCOUNT>"

Replace <ROLE_ARN> with actual ARN of the role (e.g. "arn:aws:iam::account-id:role/my-role")

Google Cloud Workload Identity Federation

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: <GCP_IAM>
  name: "<SERVICE_ACCOUNT>"

Replace <GCP_IAM> with actual GCP service account (e.g. "IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com")

Azure Workload Identity

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: "<CLIENT_ID>"
  name: "<SERVICE_ACCOUNT>"

Replace <CLIENT_ID> with actual client id

Updating the deployment to link the service account

Using the helm upgrade or install procedure for either the DES or the DDC, add the variable serviceAccount with the name of the service account you have created:

  --set serviceAccount=<SERVICE_ACCOUNT>

For Azure service account, you will need an additional variable:

--set additionalLabels."azure\.workload\.identity/use"="true"

Activating managed identities

Digital Enterprise Suite

For the Digital Enterprise Suite, open a shell to the DES pod and run the following command:

AWS

des-cli pref set cloud.managed.identity aws

Google Cloud

des-cli pref set cloud.managed.identity gcp

Azure

des-cli pref set cloud.managed.identity azure

A restart of the pod will be required.

Digital Distributed Containers

For Digital Distributed Containers, you will need to run the upgrade command and set the ddc.CLOUD_MANAGED_IDENTITY variable:

AWS

--set ddc.CLOUD_MANAGED_IDENTITY=aws

Google Cloud

--set ddc.CLOUD_MANAGED_IDENTITY=gcp

Azure

--set ddc.CLOUD_MANAGED_IDENTITY=azure