Using Workload Identities to Securely Access Cloud Services

Application Scenarios

With workload identities, your workloads in a cluster can access cloud services like IAM users without using the AK/SK, reducing security risks.

This section describes how to use workload identities in UCS.

Solution Process

Figure 1 shows the process of using workload identities.

Assign authorization in advance.
1. Obtain the JSON Web Key Set (JWKS) issued by the private key of an on-premises cluster from UCS. The JWKS is used to verify the token issued by this cluster for a ServiceAccount.
2. Create an identity provider (IdP) for the on-premises cluster in IAM.
3. Add the public key of this cluster for the IdP. When a workload uses a token to send requests, IAM will use this public key to verify the token.
4. Add a rule to map the ServiceAccount to the IAM account. After the configuration, the ServiceAccount has the permissions of the IAM account.
Configure the token.
1. Deploy a workload and configure a ServiceAccount.
2. Mount the token of the ServiceAccount to the workload.
Verify the token.
1. Call the IAM API to obtain the IAM token.
2. Use the IAM token to access cloud services.

Figure 1 Process of using workload identities

Obtaining the JWKS of an On-Premises Cluster

Use kubectl to access the on-premises cluster.

Run the following command to obtain the public key:

kubectl get --raw /openid/v1/jwks

A json string is returned, containing the public key of the on-premises cluster for accessing the IdP.

{
    "keys": [
        {
            "kty": "RSA",
            "e": "AQAB",
            "use": "sig",
            "kid": "Ew29q....",
            "alg": "RS256",
            "n": "peJdm...."
        }
    ]
}

Creating an IdP

Click OK. Then, modify the IdP information as described in Table 1. If you need an identity conversion rule, click Create Rule.

Figure 3 Modifying IdP information

Figure 4 Creating an identity conversion rule

**Table 1** IdP parameters
Parameter	Description
Access Type	Select Programmatic access.
Configuration Information	Identity Provider URL: Enter https://kubernetes.default.svc.cluster.local. Client ID: Enter ucs-cluster-identity. Signing Key: Enter the JWKS of the on-premises cluster obtained in Obtaining the JWKS of an On-Premises Cluster.
Identity Conversion Rules	An identity conversion rule maps the ServiceAccount of a workload to an IAM user group. For example, create a ServiceAccount named xxx in namespace default of the cluster and map it to user group demo. If you use the IdP ID to access cloud services, you have the permissions of the demo user group. Value format: system:serviceaccount:Namespace:ServiceAccountName.

Click OK.

Obtaining an IAM Token

Create a ServiceAccount, whose name must be the value of ServiceAccountName set in 2.

apiVersion: v1 
kind: ServiceAccount 
metadata: 
 name: test_sa_name # The value must be the same as that in the identity conversion rule.

Add the ServiceAccount and volume configurations to the workload.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
      version: v1
  template:
    metadata:
      labels:
        app: nginx
        version: v1
    spec:
      containers:
      - name: container-1
        image: nginx:latest
        volumeMounts
        - mountPath: "/var/run/secrets/tokens" # Mount the ServiceAccountToken generated by Kubernetes to /var/run/secrets/tokens/token_path.
          name: token-volume
      imagePullSecrets:
      - name: default-secret
      serviceAccountName: test_sa_name    # Name of the ServiceAccount created in the previous step
      volumes:
      - name: token-volume
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              audience: ucs-cluster-identity   # The value must be the client ID of the IdP.
              expirationSeconds: 7200     # Expiration time
              path: token_path     # Path name, which can be customized

After the creation, log in to the container to obtain the token.

Construct request body data. For details, see Obtaining a Project ID.

{
    "auth" : { 
      "id_token" : { 
        "id" : "eyJhbGciOiJSUzIXXXXX"   // Token obtained in the previous step
      },
      "scope": {
        "project" : {
          "id" : "05495693df80d3c92fa1c01795c2be02",  // Project ID
          "name" : "cn-north-7"  
        }
      }
    }
  }

Call the IAM API to obtain the IAM token. For details about the IAM endpoint, see Regions and Endpoints.
```
curl -i --location --request POST 'https://{{iam endpoint}}/v3.0/OS-AUTH/id-token/tokens'  --header 'X-Idp-Id: {{workload_identity}}'  --header 'Content-Type: application/json'  --data @token_body.json
```
- Replace {workload_identity} with the name of the IdP registered in 1. In this example, the name is ucs-cluster-identity.
- token_body.json is the constructed request body data file.
Obtain the IAM token from the response body. The value of X-Subject-Token in the response header is the IAM token.

Using an IAM Token to Access Cloud Services

This section uses LTS as an example.

Before using an IAM token to access LTS, you need to configure permissions for the user group.
To call LTS, you need to add the LTS FullAccess permissions to the user group.

Run the following command to call the service API:

curl --location --request GET 'https://ltsperform.cn-north-7.myhuaweicloud.com/v2/{{Project ID}}/groups/{{Log group ID}}/streams' \--header 'Content-Type: application/json;charset=utf-8' \--header 'X-Auth-Token: {{IAM token obtained in the previous step}}' \--data-raw ''

The value of {Log group ID} can be obtained in LTS.