Skip to content

update docs for parameter store support in trigger authentication #1725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stegojulia wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update docs for parameter store support in trigger authentication #1725

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions content/docs/2.20/authentication-providers/aws-parameter-store.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
+++
title = "AWS Systems Manager Parameter Store"
+++

You can integrate AWS Systems Manager Parameter Store parameters into your trigger by configuring the `awsParameterStore` key in your KEDA scaling specification.

The `podIdentity` section configures the usage of AWS pod identity with the provider set to AWS.

The `credentials` section specifies AWS credentials, including the `accessKey` and `secretAccessKey`.

- **accessKey:** Configuration for the AWS access key.
- **secretAccessKey:** Configuration for the AWS secret access key.

The `region` parameter is optional and represents the AWS region where the parameter resides, defaulting to the default region if not specified.

The `parameters` list within `awsParameterStore` defines the mapping between the AWS Parameter Store parameter and the authentication parameter used in your application, including the parameter name, AWS Parameter Store parameter name, and an optional `withDecryption` flag to decrypt SecureString parameters.

### Configuration

```yaml
awsParameterStore:
podIdentity: # Optional.
provider: aws # Required.
credentials: # Optional.
accessKey: # Required.
valueFrom: # Required.
secretKeyRef: # Required.
name: {k8s-secret-with-aws-credentials} # Required.
key: {key-in-k8s-secret} # Required.
accessSecretKey: # Required.
valueFrom: # Required.
secretKeyRef: # Required.
name: {k8s-secret-with-aws-credentials} # Required.
key: {key-in-k8s-secret} # Required.
region: {aws-region} # Optional.
parameters: # Required.
- parameter: {param-name-used-for-auth} # Required.
name: {aws-parameter-name} # Required.
withDecryption: true # Optional. Default: true
```
56 changes: 56 additions & 0 deletions content/docs/2.20/concepts/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,25 @@ spec:
name: {aws-secret-name} # Required.
version: {aws-secret-version} # Optional.
secretKey: {aws-secret-key} # Optional.
awsParameterStore: # Optional.
podIdentity: # Optional.
provider: aws # Required.
credentials: # Optional.
accessKey: # Required.
valueFrom: # Required.
secretKeyRef: # Required.
name: {k8s-secret-with-aws-credentials} # Required.
key: AWS_ACCESS_KEY_ID # Required.
accessSecretKey: # Required.
valueFrom: # Required.
secretKeyRef: # Required.
name: {k8s-secret-with-aws-credentials} # Required.
key: AWS_SECRET_ACCESS_KEY # Required.
region: {aws-region} # Optional.
parameters: # Required.
- parameter: {param-name-used-for-auth} # Required.
name: {aws-parameter-name} # Required.
withDecryption: true # Optional. Default: true
gcpSecretManager: # Optional.
secrets: # Required.
- parameter: {param-name-used-for-auth} # Required.
Expand Down Expand Up @@ -442,6 +461,43 @@ awsSecretManager:
secretKey: {aws-secret-key} # Optional.
```

### AWS Systems Manager Parameter Store

You can integrate AWS Systems Manager Parameter Store parameters into your trigger by configuring the `awsParameterStore` key in your KEDA scaling specification.

The `podIdentity` section configures the usage of AWS pod identity with the provider set to AWS.

The `credentials` section specifies AWS credentials, including the `accessKey` and `secretAccessKey`.

- **accessKey:** Configuration for the AWS access key.
- **secretAccessKey:** Configuration for the AWS secret access key.

The `region` parameter is optional and represents the AWS region where the parameter resides, defaulting to the default region if not specified.

The `parameters` list within `awsParameterStore` defines the mapping between the AWS Parameter Store parameter and the authentication parameter used in your application, including the parameter name, AWS Parameter Store parameter name, and an optional `withDecryption` flag to decrypt SecureString parameters.

```yaml
awsParameterStore:
podIdentity: # Optional.
provider: aws # Required.
credentials: # Optional.
accessKey: # Required.
valueFrom: # Required.
secretKeyRef: # Required.
name: {k8s-secret-with-aws-credentials} # Required.
key: AWS_ACCESS_KEY_ID # Required.
accessSecretKey: # Required.
valueFrom: # Required.
secretKeyRef: # Required.
name: {k8s-secret-with-aws-credentials} # Required.
key: AWS_SECRET_ACCESS_KEY # Required.
region: {aws-region} # Optional.
parameters: # Required.
- parameter: {param-name-used-for-auth} # Required.
name: {aws-parameter-name} # Required.
withDecryption: true # Optional. Default: true
```

#### AWS Pod Identity Webhook for AWS

[**AWS IAM Roles for Service Accounts (IRSA) Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook) ([documentation](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)) allows you to provide the role name using an annotation on a service account associated with your pod.
Expand Down
Loading