C3 AI Documentation Home

Map Cloud Provider Identity to Kubernetes Service Account

C3 Agentic AI Platform includes a Kubernetes service account called c3-privileged. When deploying a Kubernetes cluster for C3 AI or when you upgrade to C3 Agentic AI Platform version 8.7, map the cloud provider identity to c3-privileged so that applications in the cluster can access necessary cloud resources.

Requirements

You must have access to update your cloud provider infrastructure. A typical persona for this task is a cluster operator.

Map cloud provider identity to Kubernetes service account

To map your cloud provider identity to the c3-privileged Kubernetes service account, complete the following steps for your cloud provider.

You can also include the cloud identity mapping as part of an automation script that creates the infrastructure, such as a Terraform script.

Google Kubernetes Engine (GKE)

  1. If the GKE Helm chart was not deployed with this annotation, patch the annotation on the Kubernetes service account:

    Command Line
    kubectl patch serviceaccount <K8S_SERVICE_ACCOUNT_NAME> --namespace <K8S_NAMESPACE_NAME> -p '{ "metadata": { "annotations": { "iam.gke.io/gcp-service-account":"<GCP_IAM_SERVICE_ACCOUNT_NAME>@<GCP_PROJECT_ID>.iam.gserviceaccount.com" } }, "imagePullSecrets": [{"name":"docker-registry-secret"}] }'

  2. Map the GKE identity to the c3-privileged Kubernetes service account:

    Command Line
    gcloud iam service-accounts add-iam-policy-binding ${gcpIamServiceAccountStr}@${gcpProjectIdStr}.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member 'serviceAccount:${gcpProjectIdStr}.svc.id.goog[${k8sNamespaceStr}/${k8sServiceAccountStr}]'

Azure Kubernetes Service (AKS)

  1. If the AKS Helm chart was not deployed with this annotation, patch the annotation on the Kubernetes service account:

    Command Line
    kubectl patch serviceaccount <K8S_SERVICE_ACCOUNT_NAME> --namespace <K8S_NAMESPACE_NAME> -p '{
"metadata": { "annotations": { "azure.workload.identity/client-id":"<AZURE_MANAGED_IDENTITY_CLIENT_ID>" } },
"imagePullSecrets": [{"name":"docker-registry-secret"}] }'

  2. Map the AKS identity to the c3-privileged Kubernetes service account:

    Command Line
    az identity federated-credential create \ --name <AZURE_FEDERATED_IDENTITY_CREDENTIAL_NAME> \ --identity-name <AZURE_MANAGED_IDENTITY_NAME> \ --resource-group <AZURE_RESOURCE_GROUP> \ --issuer <AKS_OIDC_ISSUER> \ --subject system:serviceaccount:<K8S_NAMESPACE_NAME>:<K8S_SERVICE_ACCOUNT_NAME> \ --audience api://AzureADTokenExchange

Amazon Elastic Kubernetes Service (EKS)

  1. If the EKS Helm chart was not deployed with this annotation, patch the annotation on the Kubernetes service account:

    Command Line
    kubectl patch serviceaccount <K8S_SERVICE_ACCOUNT_NAME> --namespace <K8S_NAMESPACE_NAME> -p '{ "metadata": { "annotations": { "eks.amazonaws.com/role-arn":"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AWS_IAM_ROLE_NAME>" } }, "imagePullSecrets": [{"name":"docker-registry-secret"}] }'

  2. Map the EKS identity to the c3-privileged Kubernetes service account:

    JSON
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<OIDC_PROVIDER>:aud": "sts.amazonaws.com", "<OIDC_PROVIDER>:sub": "system:serviceaccount:<K8S_NAMESPACE_NAME>:<K8S_SERVICE_ACCOUNT_NAME>" } } } ] }

  3. Create the Identity Access Management (IAM role):

    Command Line
    aws iam create-role --role-name <AWS_IAM_ROLE_NAME> --assume-role-policy-document file://trust-relationship.json

See also

Was this page helpful?