Proposal Idea: ServiceAccount awareness of DataSources #2131

npapapietro · 2025-08-04T20:31:33Z

npapapietro
Aug 4, 2025

Background

Most cloud providers have some sort of "workload identity" that allows a kubernetes ServiceAccount to be trusted to do operations in the cloud account. For example, AWS using IRSA (or pod identity) allows a service account to assume a role and do things in AWS.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::012345678910:role/grafana-role
  name: grafana-sa

So per kind: Grafana I can have that SA assume one role. If I want my Grafana to be able to read, lets say RDS, in a different account, I can chain cross account role assumptions. This is all good.

---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: cloudwatch
spec:
  uid: cloudwatch
  instanceSelector:
    matchLabels:
      dashboards: "grafana"
  datasource:
    name: CloudWatchLogs
    type: cloudwatch
    access: proxy
    jsonData:
      authType: default
     # cross account permission to be assumed by arn:aws:iam::012345678910:role/grafana-role
      assumeRoleArn: arn:aws:iam::98765432101:role/rds-grafana 
      defaultRegion: us-east-1

Problem Statement

If I am limited by cross account permissions OR I have cross partition data sources (gov/china/commercial) I cannot implement cross account role assumption and role chaining is broken. I can run role assumption (using OIDC) from one sa to each partition. But I cannot make Grafana aware (I know I can use projected volumes to mount all SA below, but using the tokens is another story)

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::012345678910:role/grafana-role
  name: grafana-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws-us-gov:iam::1236513252113:role/grafana-role
  name: grafana-sa-gov
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws-cn:iam::098034921309:role/grafana-role
  name: grafana-cn

Possible Solution

The folks at https://fluxcd.io/ have implemented a solution to the above problem by defining a serviceAccount that can be attached to certain custom resources (example). This would likely be the favored implementation.

Something like this:

---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: cloudwatch
spec:
  uid: cloudwatch
  serviceAccountName:  grafana-sa-gov
  instanceSelector:
    matchLabels:
      dashboards: "grafana"
  datasource:
    name: CloudWatchLogs
    type: cloudwatch
    access: proxy
    jsonData:
      authType: default
     # maybe impicit?
      assumeRoleArn: arn:aws-us-gov:iam::1236513252113:role/grafana-role
      defaultRegion: us-east-1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Proposal Idea: ServiceAccount awareness of DataSources #2131

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Proposal Idea: ServiceAccount awareness of DataSources #2131

Uh oh!

Uh oh!

npapapietro Aug 4, 2025

Background

Problem Statement

Possible Solution

Replies: 0 comments

npapapietro
Aug 4, 2025