Now that cloud providers are providing mechanisms to connect cloud security models w/ Kubernetes service accounts, such as AWS IRSA and Google Workload Identity, what do you think of adding RBAC and service account to Dgraph deployments? Like a more restrict lockdown for ratel to wall it off, and the principle of least privileged for alpha/zero?
This can be useful to allow a KSA associated with dgraph alpha to have access to, for example, and S3 or GCS bucket for backups through Minio, so it can have direct read/write auth without hard coding secrets in env vars.
- AWS IRSA Articles (KSA↔IAM Role)
- Google Workload Identity (KSA↔GSA)
- Azure (KSA↔AAD)