Document configuring workload identities with Scylla Manager Agent

[rzetelskik]

What should the feature do?

We should document how to enable and configure IAM roles for use with ScyllaClusters' service accounts in supported manged K8s services (EKS and GKE).

What is the use case behind this feature?

Granting access to object storage for Scylla Manager Agent containers.

Anything else we need to know?

Refs:

• https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
• https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html

[scylla-operator-bot[bot]]

The Scylla Operator project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 30d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out

/lifecycle stale

[tnozicka]

/remove-lifecycle stale /triage accepted

[DaivikDave]

@tnozicka @rzetelskik We want to use workload identity on Scylla nodes to configure backups with the ScyllaCluster in GCP. According to the documentation, it seems there's no option to change the service account in the cluster definition. Is there a way to use our own service account or annotate the service account created by the operator?