Contextual Authorization
Introduction
Most cloud providers support context-based authorization, enabling applications to benefit from strong access controls applied to a given context (e.g. Virtual Machine), without the need of managing authentication tokens and credentials.
For example, by granting a given Virtual Machine (or principal that such machine operates under) access to AWS S3, applications running inside that machine can request a token on-demand, which would grant them access to the AWS S3 buckets without having to store long lived credentials anywhere.
By leveraging such capability, Flux users can focus on the big picture, which is access controls enforcement with a least-privileged approach, whilst not having to do deal with security hygiene topics such as encrypting authentication secrets, and ensure they are being rotated regularly. All that is taken care of automatically by the cloud providers, as the tokens provided are context- and time-bound.
Current Support
Below is a list of Flux features that support this functionality and their documentation:
| Status | Component | Feature | Provider | Ref |
|---|---|---|---|---|
| Supported | Source Controller | GitRepository Authentication | Azure | Guide |
| Supported | Source Controller | Bucket Authentication | AWS | Guide |
| Supported | Source Controller | Bucket Authentication | Azure | Guide |
| Supported | Source Controller | Bucket Authentication | GCP | Guide |
| Supported | Source Controller | OCIRepository Authentication | AWS | Guide |
| Supported | Source Controller | OCIRepository Authentication | Azure | Guide |
| Supported | Source Controller | OCIRepository Authentication | GCP | Guide |
| Supported | Source Controller | oci HelmRepository Authentication | AWS | Guide |
| Supported | Source Controller | oci HelmRepository Authentication | Azure | Guide |
| Supported | Source Controller | oci HelmRepository Authentication | GCP | Guide |
| Supported | Kustomize Controller | SOPS Integration with KMS | AWS | Guide |
| Supported | Kustomize Controller | SOPS Integration with Key Vault | Azure | Guide |
| Supported | Kustomize Controller | SOPS Integration with KMS | GCP | Guide |
| Supported | Kustomize Controller | Remote EKS Cluster Authentication | AWS | Guide |
| Supported | Kustomize Controller | Remote AKS Cluster Authentication | Azure | Guide |
| Supported | Kustomize Controller | Remote GKE Cluster Authentication | GCP | Guide |
| Supported | Helm Controller | Remote EKS Cluster Authentication | AWS | Guide |
| Supported | Helm Controller | Remote AKS Cluster Authentication | Azure | Guide |
| Supported | Helm Controller | Remote GKE Cluster Authentication | GCP | Guide |
| Supported | Notification Controller | Azure DevOps Commit Status Updates | Azure | Guide |
| Supported | Notification Controller | Azure Event Hubs | Azure | Guide |
| Supported | Notification Controller | Google Cloud Pub/Sub | GCP | Guide |
| Supported | Image Reflector Controller | ImageRepository Authentication | AWS | Guide |
| Supported | Image Reflector Controller | ImageRepository Authentication | Azure | Guide |
| Supported | Image Reflector Controller | ImageRepository Authentication | GCP | Guide |
| Supported | Image Automation Controller | GitRepository Authentication | Azure | Guide |