Support ServiceAccounts for IntegrationSinks #8719
Description
Problem
Being able to run IntegrationSinks with a specific Service Account would facilitate RBAC or platform-specific authorization logic such as IAM roles for service accounts or pod identity associations
Event consumer
Exit Criteria
Assuming default credential support is added:
- Configure the IntegrationSink to run with a specific Service Account
- Configure an IAM role or pod identity for that Service Account.
- SNS or SQS sinks use this role via default credentials, i.e. without any explicit key management.
Time Estimate (optional):
I believe it should be a matter of adding a serviceAccountName field somewhere on the IntegrationSink spec, and plumbing that into PodSpec of the underlying Deployment. Maybe 1 or 2 days.
However, I don't know how this affects the other (e.g. OIDC-related) service account logic in IntegrationSink; the estimate may not be taking everything into account.
Additional context (optional)
This feature would be particularly be beneficial if the AWS IntegrationSinks supported default credential providers, which is filed as a separate feature request.