Core Concepts & Developer Workflow
This page describes the core concepts and workflow that developers should know to understand and consume the AWS S3 service provided by Klutch.
Core Concepts
ObjectStorageInstance (OSI)
An ObjectStorageInstance (OSI) is a resource that represents the underlying AWS S3 bucket. These instances are
provisioned through Klutch using a minimal Kubernetes manifest requested by the developer.
ObjectStorageBinding (OSB)
An ObjectStorageBinding (OSB) is a resource that provisions access credentials for a specific OSI. It exposes these
credentials via a Kubernetes Secret, which the application
consumes to authenticate and connect to the bucket.
What happens when a developer creates a binding:
- Klutch provisions the necessary AWS resources to grant access to the requested bucket, following the principle of least privilege.
- The access level can be specified globally or fine-tuned for specific prefixes (folders) using
scopedAccess. - Credentials and bucket connection details are stored in the Kubernetes Secret specified in
writeConnectionSecretToRef. - Applications can consume the Secret (via env).
Developer Workflow
-
Request an S3 Bucket
Apply anObjectStorageInstancemanifest, specifying the required fields (service,plan,region) and any optional parameters liketagsorencryption. -
Create an ObjectStorageBinding
Create anObjectStorageBindingthat references theObjectStorageInstance. Klutch will provision the necessary AWS resources for the binding and store access credentials and connection information in a KubernetesSecret. -
Consume the Secret in your app
Reference the binding secret in your Deployment (for example withenvFrom). Your application uses these values to connect to the S3 bucket. -
Cleanup
Delete the binding and the instance when the bucket is no longer needed.
Expected results
- An AWS S3 bucket is provisioned by Klutch.
- A k8s
Secretis created containing the connection details for using the bucket, including the IAM user's credentials and the bucket name.