{ "description": "A ProviderConfig configures the AWS provider.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "A ProviderConfigSpec defines the desired state of a ProviderConfig.", "properties": { "assumeRoleChain": { "description": "AssumeRoleChain defines the options for assuming an IAM role", "items": { "description": "AssumeRoleOptions define the options for assuming an IAM Role\nFields are similar to the STS AssumeRoleOptions in the AWS SDK", "properties": { "externalID": { "description": "ExternalID is the external ID used when assuming role.", "type": "string" }, "roleARN": { "description": "AssumeRoleARN to assume with provider credentials", "type": "string" }, "tags": { "description": "Tags is list of session tags that you want to pass. Each session tag consists of a key\nname and an associated value. For more information about session tags, see\nTagging STS Sessions\n(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html).", "items": { "description": "Tag is session tag that can be used to assume an IAM Role", "properties": { "key": { "description": "Name of the tag.\nKey is a required field", "type": "string" }, "value": { "description": "Value of the tag.\nValue is a required field", "type": "string" } }, "required": [ "key", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "transitiveTagKeys": { "description": "TransitiveTagKeys is a list of keys for session tags that you want to set as transitive. If you set a\ntag key as transitive, the corresponding key and value passes to subsequent\nsessions in a role chain. For more information, see Chaining Roles with Session Tags\n(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining).", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "credentials": { "description": "Credentials required to authenticate to this provider.", "properties": { "env": { "description": "Env is a reference to an environment variable that contains credentials\nthat must be used to connect to the provider.", "properties": { "name": { "description": "Name is the name of an environment variable.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "fs": { "description": "Fs is a reference to a filesystem location that contains credentials that\nmust be used to connect to the provider.", "properties": { "path": { "description": "Path is a filesystem path.", "type": "string" } }, "required": [ "path" ], "type": "object", "additionalProperties": false }, "secretRef": { "description": "A SecretRef is a reference to a secret key that contains the credentials\nthat must be used to connect to the provider.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "source": { "description": "Source of the provider credentials.", "enum": [ "None", "Secret", "IRSA", "WebIdentity", "PodIdentity", "Upbound" ], "type": "string" }, "upbound": { "description": "Upbound defines the options for authenticating using Upbound as an identity provider.", "properties": { "webIdentity": { "description": "WebIdentity defines the options for assuming an IAM role with a Web\nIdentity.", "properties": { "roleARN": { "description": "AssumeRoleARN to assume with provider credentials", "type": "string" }, "roleSessionName": { "description": "RoleSessionName is the session name, if you wish to uniquely identify this session.", "type": "string" }, "tokenConfig": { "description": "TokenConfig is the Web Identity Token config to assume the role.", "properties": { "fs": { "description": "Fs is a reference to a filesystem location that contains credentials that\nmust be used to obtain the web identity token.", "properties": { "path": { "description": "Path is a filesystem path.", "type": "string" } }, "required": [ "path" ], "type": "object", "additionalProperties": false }, "secretRef": { "description": "A SecretRef is a reference to a secret key that contains the credentials\nthat must be used to obtain the web identity token.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "source": { "description": "Source is the source of the web identity token.", "enum": [ "Secret", "Filesystem" ], "type": "string" } }, "required": [ "source" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "webIdentity": { "description": "WebIdentity defines the options for assuming an IAM role with a Web Identity.", "properties": { "roleARN": { "description": "AssumeRoleARN to assume with provider credentials", "type": "string" }, "roleSessionName": { "description": "RoleSessionName is the session name, if you wish to uniquely identify this session.", "type": "string" }, "tokenConfig": { "description": "TokenConfig is the Web Identity Token config to assume the role.", "properties": { "fs": { "description": "Fs is a reference to a filesystem location that contains credentials that\nmust be used to obtain the web identity token.", "properties": { "path": { "description": "Path is a filesystem path.", "type": "string" } }, "required": [ "path" ], "type": "object", "additionalProperties": false }, "secretRef": { "description": "A SecretRef is a reference to a secret key that contains the credentials\nthat must be used to obtain the web identity token.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "source": { "description": "Source is the source of the web identity token.", "enum": [ "Secret", "Filesystem" ], "type": "string" } }, "required": [ "source" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "source" ], "type": "object", "additionalProperties": false }, "endpoint": { "description": "Endpoint is where you can override the default endpoint configuration\nof AWS calls made by the provider.", "properties": { "hostnameImmutable": { "description": "Specifies if the endpoint's hostname can be modified by the SDK's API\nclient.\n\nIf the hostname is mutable the SDK API clients may modify any part of\nthe hostname based on the requirements of the API, (e.g. adding, or\nremoving content in the hostname). Such as, Amazon S3 API client\nprefixing \"bucketname\" to the hostname, or changing the\nhostname service name component from \"s3.\" to \"s3-accesspoint.dualstack.\"\nfor the dualstack endpoint of an S3 Accesspoint resource.\n\nCare should be taken when providing a custom endpoint for an API. If the\nendpoint hostname is mutable, and the client cannot modify the endpoint\ncorrectly, the operation call will most likely fail, or have undefined\nbehavior.\n\nIf hostname is immutable, the SDK API clients will not modify the\nhostname of the URL. This may cause the API client not to function\ncorrectly if the API requires the operation specific hostname values\nto be used by the client.\n\nThis flag does not modify the API client's behavior if this endpoint\nwill be used instead of Endpoint Discovery, or if the endpoint will be\nused to perform Endpoint Discovery. That behavior is configured via the\nAPI Client's Options.\nNote that this is effective only for resources that use AWS SDK v2.", "type": "boolean" }, "partitionId": { "description": "The AWS partition the endpoint belongs to.", "type": "string" }, "services": { "description": "Specifies the list of services you want endpoint to be used for", "items": { "type": "string" }, "type": "array" }, "signingMethod": { "description": "The signing method that should be used for signing the requests to the\nendpoint.", "type": "string" }, "signingName": { "description": "The service name that should be used for signing the requests to the\nendpoint.", "type": "string" }, "signingRegion": { "description": "The region that should be used for signing the request to the endpoint.\nFor IAM, which doesn't have any region, us-east-1 is used to sign the\nrequests, which is the only signing region of IAM.", "type": "string" }, "source": { "description": "The source of the Endpoint. By default, this will be ServiceMetadata.\nWhen providing a custom endpoint, you should set the source as Custom.\nIf source is not provided when providing a custom endpoint, the SDK may not\nperform required host mutations correctly. Source should be used along with\nHostnameImmutable property as per the usage requirement.\nNote that this is effective only for resources that use AWS SDK v2.", "enum": [ "ServiceMetadata", "Custom" ], "type": "string" }, "url": { "description": "URL lets you configure the endpoint URL to be used in SDK calls.", "properties": { "dynamic": { "description": "Dynamic lets you configure the behavior of endpoint URL resolver.", "properties": { "host": { "description": "Host is the address of the main host that the resolver will use to\nprepend protocol, service and region configurations.\nFor example, the final URL for EC2 in us-east-1 looks like https://ec2.us-east-1.amazonaws.com\nYou would need to use \"amazonaws.com\" as Host and \"https\" as protocol\nto have the resolver construct it.", "type": "string" }, "protocol": { "description": "Protocol is the HTTP protocol that will be used in the URL. Currently,\nonly http and https are supported.", "enum": [ "http", "https" ], "type": "string" } }, "required": [ "host", "protocol" ], "type": "object", "additionalProperties": false }, "static": { "description": "Static is the full URL you'd like the AWS SDK to use.\nRecommended for using tools like localstack where a single host is exposed\nfor all services and regions.", "type": "string" }, "type": { "description": "You can provide a static URL that will be used regardless of the service\nand region by choosing Static type. Alternatively, you can provide\nconfiguration for dynamically resolving the URL with the config you provide\nonce you set the type as Dynamic.", "enum": [ "Static", "Dynamic", "Auto" ], "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false } }, "required": [ "url" ], "type": "object", "additionalProperties": false }, "s3_use_path_style": { "description": "Whether to enable the request to use path-style addressing, i.e., https://s3.amazonaws.com/BUCKET/KEY.", "type": "boolean" }, "skip_credentials_validation": { "description": "Whether to skip credentials validation via the STS API.\nThis can be useful for testing and for AWS API implementations that do not have STS available.", "type": "boolean" }, "skip_metadata_api_check": { "description": "Whether to skip the AWS Metadata API check\nUseful for AWS API implementations that do not have a metadata API endpoint.", "type": "boolean" }, "skip_region_validation": { "description": "Whether to skip validation of provided region name.\nUseful for AWS-like implementations that use their own region names or to bypass the validation for\nregions that aren't publicly available yet.", "type": "boolean" }, "skip_requesting_account_id": { "description": "Whether to skip requesting the account ID.\nUseful for AWS API implementations that do not have the IAM, STS API, or metadata API", "type": "boolean" } }, "required": [ "credentials" ], "type": "object", "additionalProperties": false }, "status": { "description": "A ProviderConfigStatus reflects the observed state of a ProviderConfig.", "properties": { "conditions": { "description": "Conditions of the resource.", "items": { "description": "A Condition that may apply to a resource.", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time this condition transitioned from one\nstatus to another.", "format": "date-time", "type": "string" }, "message": { "description": "A Message containing details about this condition's last transition from\none status to another, if any.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "A Reason for this condition's last transition from one status to another.", "type": "string" }, "status": { "description": "Status of this condition; is it currently True, False, or Unknown?", "type": "string" }, "type": { "description": "Type of this condition. At most one of each condition type may apply to\na resource at any point in time.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "users": { "description": "Users of this provider configuration.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }