Contextual Authorization

Contextual Authorization for securing Flux deployments.

Introduction

Most cloud providers support context-based authorization, enabling applications to benefit from strong access controls applied to a given context (e.g. Virtual Machine), without the need of managing authentication tokens and credentials.

For example, by granting a given Virtual Machine (or principal that such machine operates under) access to AWS S3, applications running inside that machine can request a token on-demand, which would grant them access to the AWS S3 buckets without having to store long lived credentials anywhere.

By leveraging such capability, Flux users can focus on the big picture, which is access controls enforcement with a least-privileged approach, whilst not having to do deal with security hygiene topics such as encrypting authentication secrets, and ensure they are being rotated regularly. All that is taken care of automatically by the cloud providers, as the tokens provided are context- and time-bound.

Current Support

Below is a list of Flux features that support this functionality and their documentation:

StatusComponentFeatureProviderRef
SupportedSource ControllerGitRepository AuthenticationAzureGuide
SupportedSource ControllerBucket AuthenticationAWSGuide
SupportedSource ControllerBucket AuthenticationAzureGuide
SupportedSource ControllerBucket AuthenticationGCPGuide
SupportedSource ControllerOCIRepository AuthenticationAWSGuide
SupportedSource ControllerOCIRepository AuthenticationAzureGuide
SupportedSource ControllerOCIRepository AuthenticationGCPGuide
SupportedSource Controlleroci HelmRepository AuthenticationAWSGuide
SupportedSource Controlleroci HelmRepository AuthenticationAzureGuide
SupportedSource Controlleroci HelmRepository AuthenticationGCPGuide
SupportedKustomize ControllerSOPS Integration with KMSAWSGuide
SupportedKustomize ControllerSOPS Integration with Key VaultAzureGuide
SupportedKustomize ControllerSOPS Integration with KMSGCPGuide
SupportedKustomize ControllerRemote EKS Cluster AuthenticationAWSGuide
SupportedKustomize ControllerRemote AKS Cluster AuthenticationAzureGuide
SupportedKustomize ControllerRemote GKE Cluster AuthenticationGCPGuide
SupportedHelm ControllerRemote EKS Cluster AuthenticationAWSGuide
SupportedHelm ControllerRemote AKS Cluster AuthenticationAzureGuide
SupportedHelm ControllerRemote GKE Cluster AuthenticationGCPGuide
SupportedNotification ControllerAzure DevOps Commit Status UpdatesAzureGuide
SupportedNotification ControllerAzure Event HubsAzureGuide
SupportedNotification ControllerGoogle Cloud Pub/SubGCPGuide
SupportedImage Reflector ControllerImageRepository AuthenticationAWSGuide
SupportedImage Reflector ControllerImageRepository AuthenticationAzureGuide
SupportedImage Reflector ControllerImageRepository AuthenticationGCPGuide
SupportedImage Automation ControllerGitRepository AuthenticationAzureGuide