eventing icon indicating copy to clipboard operation
eventing copied to clipboard
verified publisher icon knative

Support ServiceAccounts for IntegrationSinks

Open darkgnotic opened this issue 7 months ago • 1 comments

Problem

Being able to run IntegrationSinks with a specific Service Account would facilitate RBAC or platform-specific authorization logic such as IAM roles for service accounts or pod identity associations

Persona:

Event consumer

Exit Criteria

Assuming default credential support is added:

  • Configure the IntegrationSink to run with a specific Service Account
  • Configure an IAM role or pod identity for that Service Account.
  • SNS or SQS sinks use this role via default credentials, i.e. without any explicit key management.

Time Estimate (optional):

I believe it should be a matter of adding a serviceAccountName field somewhere on the IntegrationSink spec, and plumbing that into PodSpec of the underlying Deployment. Maybe 1 or 2 days.

However, I don't know how this affects the other (e.g. OIDC-related) service account logic in IntegrationSink; the estimate may not be taking everything into account.

Additional context (optional)

This feature would be particularly be beneficial if the AWS IntegrationSinks supported default credential providers, which is filed as a separate feature request.

darkgnotic avatar Sep 12 '25 16:09 darkgnotic

yes, we know -thanks for raising.

See:

  • https://github.com/knative/eventing/issues/8544
  • https://github.com/knative/eventing/issues/8718

matzew avatar Sep 16 '25 12:09 matzew