Freeing Identity From Infrastructure: Automating Virtual Cloud IAM in a Multi-Account, Multi-Cloud Environment
2024-06-17 , Breakout 1

Our organization runs dozens of Kubernetes clusters, tens of thousands of hosts, and millions of containers in a multi-cloud environment that includes AWS, Azure, and Google Cloud resources. When we designed this infrastructure, we had to ensure that the hundreds of engineers working on our product could safely and easily access resources across these different cloud providers.

To achieve this, we have built a zero-configuration injected sidecar container that emulates cloud provider instance metadata service (IMDS) APIs. We are now able to transparently provide our Kubernetes pods access to resources in cloud providers and accounts independently of what cloud platform the underlying virtual machine is in—and without engineers needing to write code in their services to configure provider-specific credentials.

We’ll talk about how baking identity- and security-focused automation into our runtime platforms allowed us to produce a system that was good for user experience, operator efficiency, and security efficacy. Then, we will demo a system that utilizes these techniques to show the audience how they can use similar concepts to build their own secure, zero-configuration multi-cloud environment.

Ian Ferguson is a Staff Engineer at Datadog, where he works in the infrastructure group that builds and operates Datadog’s cloud and Kubernetes platforms.