jgaunt/rclone
1
0
Fork 0
mirror of https://github.com/rclone/rclone.git synced 2025-12-06 00:03:32 +00:00
Code Issues Projects Releases Wiki Activity

oracleobjectstorage: supports workload identity authentication for OKE

Browse Source 
Signed-off-by: Anders Swanson <anders.swanson@oracle.com>
This commit is contained in:
Anders Swanson
2023-10-31 15:04:40 -07:00
committed by Nick Craig-Wood
parent a1e66cc5e8
commit db8fb5ceda
3 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/content/oracleobjectstorage.md
View File

@@ -59,13 +59,17 @@ Press Enter for the default (env_auth).
2 | youll need to put in a config file your tenancy OCID, user OCID, region, the path, fingerprint to an API key.
| https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm
\ (user_principal_auth)
/ use instance principals to authorize an instance to make API calls.
3 | each instance has its own identity, and authenticates using the certificates that are read from instance metadata.
/ use instance principals to authorize an instance to make API calls.
3 | each instance has its own identity, and authenticates using the certificates that are read from instance metadata.
| https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm
\ (instance_principal_auth)
4 / use resource principals to make API calls
/ use workload identity to grant Kubernetes pods policy-driven access to Oracle Cloud
4 | Infrastructure (OCI) resources using OCI Identity and Access Management (IAM).
| https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm
\ (workload_identity_auth)
5 / use resource principals to make API calls
\ (resource_principal_auth)
5 / no credentials needed, this is typically for reading public buckets
6 / no credentials needed, this is typically for reading public buckets
\ (no_auth)
provider> 2
@@ -151,6 +155,7 @@ Rclone supports the following OCI authentication provider.
User Principal
Instance Principal
Resource Principal
Workload Identity
No authentication
### User Principal
@@ -224,6 +229,14 @@ Sample rclone configuration file for Authentication Provider Resource Principal:
region = us-ashburn-1
provider = resource_principal_auth
### Workload Identity
Workload Identity auth may be used when running Rclone from Kubernetes pod on a Container Engine for Kubernetes (OKE) cluster.
For more details on configuring Workload Identity, see [Granting Workloads Access to OCI Resources](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm).
To use workload identity, ensure Rclone is started with these environment variables set in its process.
export OCI_RESOURCE_PRINCIPAL_VERSION=2.2
export OCI_RESOURCE_PRINCIPAL_REGION=us-ashburn-1
### No authentication
Public buckets do not require any authentication mechanism to read objects.