From 5bc5b5d19ee9d41735881dad25b579c8845788d7 Mon Sep 17 00:00:00 2001 From: Quenby Mitchell Date: Wed, 17 Sep 2025 14:54:13 -0600 Subject: [PATCH 1/7] add documentation for AWS sink and source authentication --- .../eventing/sinks/integration-sink/aws_s3.md | 21 +++++++++++++++- .../sinks/integration-sink/aws_sns.md | 23 +++++++++++++++-- .../sinks/integration-sink/aws_sqs.md | 23 +++++++++++++++-- .../integration-source/aws_ddbstreams.md | 21 +++++++++++++++- .../sources/integration-source/aws_s3.md | 21 +++++++++++++++- .../sources/integration-source/aws_sqs.md | 25 ++++++++++++++++--- 6 files changed, 124 insertions(+), 10 deletions(-) diff --git a/docs/eventing/sinks/integration-sink/aws_s3.md b/docs/eventing/sinks/integration-sink/aws_s3.md index 35510371ddb..03244fd3ffc 100644 --- a/docs/eventing/sinks/integration-sink/aws_s3.md +++ b/docs/eventing/sinks/integration-sink/aws_s3.md @@ -11,11 +11,30 @@ The `IntegrationSink` supports the Amazon Web Services (AWS) S3 service, through ## Amazon credentials -For connecting to AWS the `IntegrationSink` uses Kubernetes `Secret`, present in the namespace of the resource. The `Secret` can be created like: +There are two options for authenticating to AWS. + +### Access key and secret + +To use an IAM User access key and secret, create a Kubernetes `Secret` in the namespace of the resource. The `Secret` can be created like: ```bash kubectl -n create secret generic my-secret --from-literal=aws.accessKey= --from-literal=aws.secretKey= ``` +Then in the `IntegrationSink` `.spec.aws.auth` section reference the `Secret` like this: +```yaml + auth: + secret: + ref: + name: "my-secret" +``` + +### Pod Default Credentials + +If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. +```yaml + auth: + serviceAccountName: "my-service-account" +``` ## AWS S3 Sink Example diff --git a/docs/eventing/sinks/integration-sink/aws_sns.md b/docs/eventing/sinks/integration-sink/aws_sns.md index 1d773e49aeb..a6dd77ba45a 100644 --- a/docs/eventing/sinks/integration-sink/aws_sns.md +++ b/docs/eventing/sinks/integration-sink/aws_sns.md @@ -11,11 +11,30 @@ The `IntegrationSink` supports the Amazon Web Services (AWS) Simple Notification ## Amazon credentials -For connecting to AWS the `IntegrationSink` uses Kubernetes `Secret`, present in the namespace of the resource. The `Secret` can be created like: +There are two options for authenticating to AWS. + +### Access key and secret + +To use an IAM User access key and secret, create a Kubernetes `Secret` in the namespace of the resource. The `Secret` can be created like: ```bash kubectl -n create secret generic my-secret --from-literal=aws.accessKey= --from-literal=aws.secretKey= ``` +Then in the `IntegrationSink` `.spec.aws.auth` section reference the `Secret` like this: +```yaml + auth: + secret: + ref: + name: "my-secret" +``` + +### Pod Default Credentials + +If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. +```yaml + auth: + serviceAccountName: "my-service-account" +``` ## AWS SNS Sink Example @@ -37,6 +56,6 @@ Below is an `IntegrationSink` to send data to AWS SNS: ref: name: "my-secret" ``` -Inside of the `aws.sns` object we define the name of the topic (or _arn_) and its region. The credentials for the AWS service are referenced from the `my-secret` Kubernetes `Secret` +Inside of the `aws.sns` object we define the name of the topic (or _arn_) and its region. The credentials for the AWS service are referenced from the `my-secret` Kubernetes `Secret` More details about the Apache Camel Kamelet [aws-sns-sink](https://camel.apache.org/camel-kamelets/latest/aws-sns-sink.html). diff --git a/docs/eventing/sinks/integration-sink/aws_sqs.md b/docs/eventing/sinks/integration-sink/aws_sqs.md index 588dfd027af..a8e124725af 100644 --- a/docs/eventing/sinks/integration-sink/aws_sqs.md +++ b/docs/eventing/sinks/integration-sink/aws_sqs.md @@ -11,11 +11,30 @@ The `IntegrationSink` supports the Amazon Web Services (AWS) Simple Queue Servic ## Amazon credentials -For connecting to AWS the `IntegrationSink` uses Kubernetes `Secret`, present in the namespace of the resource. The `Secret` can be created like: +There are two options for authenticating to AWS. + +### Access key and secret + +To use an IAM User access key and secret, create a Kubernetes `Secret` in the namespace of the resource. The `Secret` can be created like: ```bash kubectl -n create secret generic my-secret --from-literal=aws.accessKey= --from-literal=aws.secretKey= ``` +Then in the `IntegrationSink` `.spec.aws.auth` section reference the `Secret` like this: +```yaml + auth: + secret: + ref: + name: "my-secret" +``` + +### Pod Default Credentials + +If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. +```yaml + auth: + serviceAccountName: "my-service-account" +``` ## AWS SQS Sink Example @@ -37,6 +56,6 @@ Below is an `IntegrationSink` to send data to AWS SQS: ref: name: "my-secret" ``` -Inside of the `aws.sqs` object we define the name of the queue (or _arn_) and its region. The credentials for the AWS service are referenced from the `my-secret` Kubernetes `Secret` +Inside of the `aws.sqs` object we define the name of the queue (or _arn_) and its region. The credentials for the AWS service are referenced from the `my-secret` Kubernetes `Secret` More details about the Apache Camel Kamelet [aws-sqs-sink](https://camel.apache.org/camel-kamelets/latest/aws-sqs-sink.html). diff --git a/docs/eventing/sources/integration-source/aws_ddbstreams.md b/docs/eventing/sources/integration-source/aws_ddbstreams.md index 6bf3345f63a..531cc6a0218 100644 --- a/docs/eventing/sources/integration-source/aws_ddbstreams.md +++ b/docs/eventing/sources/integration-source/aws_ddbstreams.md @@ -11,11 +11,30 @@ The `IntegrationSource` supports the Amazon Web Services (AWS) DynamoDB Streams ## Amazon credentials -For connecting to AWS the `IntegrationSource` uses Kubernetes `Secret`, present in the namespace of the resource. The `Secret` can be created like: +There are two options for authenticating to AWS. + +### Access key and secret + +To use an IAM User access key and secret, create a Kubernetes `Secret` in the namespace of the resource. The `Secret` can be created like: ```bash kubectl -n create secret generic my-secret --from-literal=aws.accessKey= --from-literal=aws.secretKey= ``` +Then in the `IntegrationSource` `.spec.aws.auth` section reference the `Secret` like this: +```yaml + auth: + secret: + ref: + name: "my-secret" +``` + +### Pod Default Credentials + +If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. +```yaml + auth: + serviceAccountName: "my-service-account" +``` ## AWS DynamoDB Streams Example diff --git a/docs/eventing/sources/integration-source/aws_s3.md b/docs/eventing/sources/integration-source/aws_s3.md index c72fa36a4ed..2325cf3569b 100644 --- a/docs/eventing/sources/integration-source/aws_s3.md +++ b/docs/eventing/sources/integration-source/aws_s3.md @@ -11,11 +11,30 @@ The `IntegrationSource` supports the Amazon Web Services (AWS) S3 service, throu ## Amazon credentials -For connecting to AWS the `IntegrationSource` uses Kubernetes `Secret`, present in the namespace of the resource. The `Secret` can be created like: +There are two options for authenticating to AWS. + +### Access key and secret + +To use an IAM User access key and secret, create a Kubernetes `Secret` in the namespace of the resource. The `Secret` can be created like: ```bash kubectl -n create secret generic my-secret --from-literal=aws.accessKey= --from-literal=aws.secretKey= ``` +Then in the `IntegrationSource` `.spec.aws.auth` section reference the `Secret` like this: +```yaml + auth: + secret: + ref: + name: "my-secret" +``` + +### Pod Default Credentials + +If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. +```yaml + auth: + serviceAccountName: "my-service-account" +``` ## AWS S3 Source Example diff --git a/docs/eventing/sources/integration-source/aws_sqs.md b/docs/eventing/sources/integration-source/aws_sqs.md index 9ffb5062afb..73894989793 100644 --- a/docs/eventing/sources/integration-source/aws_sqs.md +++ b/docs/eventing/sources/integration-source/aws_sqs.md @@ -11,11 +11,30 @@ The `IntegrationSource` supports the Amazon Web Services (AWS) Simple Queue Serv ## Amazon credentials -For connecting to AWS the `IntegrationSource` uses Kubernetes `Secret`, present in the namespace of the resource. The `Secret` can be created like: +There are two options for authenticating to AWS. + +### Access key and secret + +To use an IAM User access key and secret, create a Kubernetes `Secret` in the namespace of the resource. The `Secret` can be created like: ```bash kubectl -n create secret generic my-secret --from-literal=aws.accessKey= --from-literal=aws.secretKey= ``` +Then in the `IntegrationSource` `.spec.aws.auth` section reference the `Secret` like this: +```yaml + auth: + secret: + ref: + name: "my-secret" +``` + +### Pod Default Credentials + +If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. +```yaml + auth: + serviceAccountName: "my-service-account" +``` ## AWS SQS Source Example @@ -35,13 +54,13 @@ Below is an `IntegrationSource` to receive data from AWS SQS. auth: secret: ref: - name: "my-secret" + name: "my-secret" sink: ref: apiVersion: eventing.knative.dev/v1 kind: Broker name: default ``` -Inside of the `aws.sqs` object we define the name of the queue (or _arn_) and its region. The credentials for the AWS service are referenced from the `my-secret` Kubernetes `Secret` +Inside of the `aws.sqs` object we define the name of the queue (or _arn_) and its region. The credentials for the AWS service are referenced from the `my-secret` Kubernetes `Secret` More details about the Apache Camel Kamelet [aws-sqs-source](https://camel.apache.org/camel-kamelets/latest/aws-sqs-source.html). From 6cd0ccb182bda2a14ba4bb0295dfea6901dfd967 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 8 Oct 2025 13:21:10 -0400 Subject: [PATCH 2/7] Update docs/versioned/eventing/sources/integration-source/aws_sqs.md --- docs/versioned/eventing/sources/integration-source/aws_sqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/versioned/eventing/sources/integration-source/aws_sqs.md b/docs/versioned/eventing/sources/integration-source/aws_sqs.md index 73894989793..e695f6e40d2 100644 --- a/docs/versioned/eventing/sources/integration-source/aws_sqs.md +++ b/docs/versioned/eventing/sources/integration-source/aws_sqs.md @@ -30,7 +30,7 @@ Then in the `IntegrationSource` `.spec.aws.auth` section reference the `Secret` ### Pod Default Credentials -If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. +If you are using [IAM Role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. ```yaml auth: serviceAccountName: "my-service-account" From 57e70e9442bd69599112bc783a48c21a86b5e360 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 8 Oct 2025 13:21:17 -0400 Subject: [PATCH 3/7] Update docs/versioned/eventing/sources/integration-source/aws_s3.md --- docs/versioned/eventing/sources/integration-source/aws_s3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/versioned/eventing/sources/integration-source/aws_s3.md b/docs/versioned/eventing/sources/integration-source/aws_s3.md index 2325cf3569b..2d45cff95eb 100644 --- a/docs/versioned/eventing/sources/integration-source/aws_s3.md +++ b/docs/versioned/eventing/sources/integration-source/aws_s3.md @@ -30,7 +30,7 @@ Then in the `IntegrationSource` `.spec.aws.auth` section reference the `Secret` ### Pod Default Credentials -If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. +If you are using [IAM Role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. ```yaml auth: serviceAccountName: "my-service-account" From 39cd00a14cc5510e8e63b26c38a6a50920ff437b Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 8 Oct 2025 13:21:24 -0400 Subject: [PATCH 4/7] Update docs/versioned/eventing/sinks/integration-sink/aws_sns.md --- docs/versioned/eventing/sinks/integration-sink/aws_sns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/versioned/eventing/sinks/integration-sink/aws_sns.md b/docs/versioned/eventing/sinks/integration-sink/aws_sns.md index 58efaabd6be..57705e11cfb 100644 --- a/docs/versioned/eventing/sinks/integration-sink/aws_sns.md +++ b/docs/versioned/eventing/sinks/integration-sink/aws_sns.md @@ -30,7 +30,7 @@ Then in the `IntegrationSink` `.spec.aws.auth` section reference the `Secret` li ### Pod Default Credentials -If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. +If you are using [IAM Role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. ```yaml auth: serviceAccountName: "my-service-account" From 4015b3b7f7a88ea4b8a1ccc08a47c8bfd2a5f78d Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 8 Oct 2025 13:21:30 -0400 Subject: [PATCH 5/7] Update docs/versioned/eventing/sources/integration-source/aws_ddbstreams.md --- .../eventing/sources/integration-source/aws_ddbstreams.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/versioned/eventing/sources/integration-source/aws_ddbstreams.md b/docs/versioned/eventing/sources/integration-source/aws_ddbstreams.md index 531cc6a0218..0884c9b89f2 100644 --- a/docs/versioned/eventing/sources/integration-source/aws_ddbstreams.md +++ b/docs/versioned/eventing/sources/integration-source/aws_ddbstreams.md @@ -30,7 +30,7 @@ Then in the `IntegrationSource` `.spec.aws.auth` section reference the `Secret` ### Pod Default Credentials -If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. +If you are using [IAM Role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSource` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSource`. ```yaml auth: serviceAccountName: "my-service-account" From 5485e0ee26cf1cf755563bb1cd0a6e8ba09b6f96 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 8 Oct 2025 13:21:38 -0400 Subject: [PATCH 6/7] Update docs/versioned/eventing/sinks/integration-sink/aws_s3.md --- docs/versioned/eventing/sinks/integration-sink/aws_s3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/versioned/eventing/sinks/integration-sink/aws_s3.md b/docs/versioned/eventing/sinks/integration-sink/aws_s3.md index e57112f3ca8..c8640b67ebf 100644 --- a/docs/versioned/eventing/sinks/integration-sink/aws_s3.md +++ b/docs/versioned/eventing/sinks/integration-sink/aws_s3.md @@ -30,7 +30,7 @@ Then in the `IntegrationSink` `.spec.aws.auth` section reference the `Secret` li ### Pod Default Credentials -If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. +If you are using [IAM Role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. ```yaml auth: serviceAccountName: "my-service-account" From 2e15048fd7aa95e507c81544cf9389e0d83bebef Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 8 Oct 2025 13:21:52 -0400 Subject: [PATCH 7/7] Update docs/versioned/eventing/sinks/integration-sink/aws_sqs.md --- docs/versioned/eventing/sinks/integration-sink/aws_sqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/versioned/eventing/sinks/integration-sink/aws_sqs.md b/docs/versioned/eventing/sinks/integration-sink/aws_sqs.md index d70b6bcea9a..393bf3f7193 100644 --- a/docs/versioned/eventing/sinks/integration-sink/aws_sqs.md +++ b/docs/versioned/eventing/sinks/integration-sink/aws_sqs.md @@ -30,7 +30,7 @@ Then in the `IntegrationSink` `.spec.aws.auth` section reference the `Secret` li ### Pod Default Credentials -If you are using IRSA or Pod Identity, you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. +If you are using [IAM Role for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html), you can create a Kubernetes `ServiceAccount` and associate it with an AWS IAM role. Then in the `IntegrationSink` `.spec.aws.auth` section specify the name of the `ServiceAccount`. This will assign the `ServiceAccount` to the `Deployment` resource created for the `IntegrationSink`. ```yaml auth: serviceAccountName: "my-service-account"