Reference
ClientIntents example (YAML)
apiVersion: k8s.otterize.com/v2beta1
kind: ClientIntents
metadata:
name: server
spec:
workload:
# The name & kind of the workload that will be granted access
name: server
kind: Deployment
targets:
- aws:
# The AWS ARN or ARN wildcard that references the resource(s) for the authorization
arn: arn:aws:s3:::example-bucket-*/*
# one or more AWS Actions or Action wildcards that will be provided to the specified resources
actions:
- "s3:PutObject"
- "s3:GetObject"
# Multiple call definitions can be defined for a single service.
- aws:
arn: arn:aws:s3:::read-only-bucket-*/*
actions:
- "s3:GetObject"
Otterize supports templating AWS resource names by AWS region & account ID.
The templates $(AWS_REGION) & $(AWS_ACCOUNT_ID) in AWS resource ARNs will be automatically replaced with the EKS cluster's region & account ID:
apiVersion: k8s.otterize.com/v2beta1
kind: ClientIntents
metadata:
name: server
spec:
workload:
name: server
kind: Deployment
targets:
- aws:
# $(AWS_REGION) & $(AWS_ACCOUNT_ID) will be replaced with the EKS cluster's region & account ID
arn: arn:aws:sqs:$(AWS_REGION):$(AWS_ACCOUNT_ID):queue1
actions:
- "sqs:*"
Annotations
| Key | Description | Default |
|---|---|---|
credentials-operator.otterize.com/create-aws-role | When set to true, the credential operator will create an unique AWS Role for the associated pod | false |
Helm Chart options
| Key | Description | Default |
|---|---|---|
global.aws.enabled | Enable or disable AWS integration | false |
global.aws.eksClusterNameOverride | EKS cluster name (overrides auto-detection) | (none) |
aws.roleARN | ARN of the AWS role the operator will use to access AWS. By defeault, Otterize will create a unique role for each service an annotate the service with the role's ARN. | (none) |
View the Helm chart reference for all other options