Workload identity allows Dash apps to securely interact with private resources by assuming the role of a Kubernetes service account that is associated with resource permissions in your cloud provider account.
For example, a Dash app that pulls data from a bucket normally requires the app developer to know the bucket credentials. With workload identity, this type of app design is more secure: An administrator can allow an app developer to assign specific service accounts to an app, letting the app interact with resources in your cloud provider account without the developer ever gaining access to the resource credentials. This allows app developers to use what they need to make their data apps shine while keeping your organization compliant with security best practices.
This guide assumes that you have already created a Kubernetes service account in your cluster and that you have configured it with the appropriate permissions for your cloud provider. For information on creating and configuring Kubernetes service accounts, see Service Accounts in the Kubernetes documentation.
Prerequisite:
To allow a user to assign a service account to their apps:
https://auth-<your-dash-enterprise-server>.<img>
Known issue: If the service account doesn’t exist in the Kubernetes cluster and is assigned to an app, any new workspace for the app will fail to create.
It is not possible to allow an entire group to assign a Kubernetes service account.
Known issue: If you remove a user’s ability to assign a service account (by editing their user details), and that service account was already assigned to one or more of the user’s apps, the service account will remain assigned to the app(s). You’ll need to go to each app and redeploy them to unassign the service account.
Assigning a service account to an app also assigns it to its workspace (if one exists).
Prerequisites:
To assign the service account to an existing app:
<img>