You are viewing documentation for Flux version: 2.0

Version 2.0 of the documentation is no longer actively maintained. The site that you are currently viewing is an archived snapshot. For up-to-date documentation, see the latest version.

Contextual Authorization

Contextual Authorization for securing Flux deployments.


Most cloud providers support context-based authorization, enabling applications to benefit from strong access controls applied to a given context (e.g. Virtual Machine), without the need of managing authentication tokens and credentials.

For example, by granting a given Virtual Machine (or principal that such machine operates under) access to AWS S3, applications running inside that machine can request a token on-demand, which would grant them access to the AWS S3 buckets without having to store long lived credentials anywhere.

By leveraging such capability, Flux users can focus on the big picture, which is access controls enforcement with a least-privileged approach, whilst not having to do deal with security hygiene topics such as encrypting authentication secrets, and ensure they are being rotated regularly. All that is taken care of automatically by the cloud providers, as the tokens provided are context- and time-bound.

Current Support

Below is a list of Flux features that support this functionality and their documentation:

SupportedSource ControllerBucket Repository AuthenticationAWSGuide
SupportedSource ControllerBucket Repository AuthenticationAzureGuide
SupportedSource ControllerBucket Repository AuthenticationGCPGuide
SupportedSource ControllerOCI Repository AuthenticationAWSGuide
SupportedSource ControllerOCI Repository AuthenticationAzureGuide
SupportedSource ControllerOCI Repository AuthenticationGCPGuide
SupportedSource ControllerHelm Repository AuthenticationAWSGuide
SupportedSource ControllerHelm Repository AuthenticationAzureGuide
SupportedSource ControllerHelm Repository AuthenticationGCPGuide
SupportedImage Reflector ControllerContainer Registry AuthenticationAWSGuide
SupportedImage Reflector ControllerContainer Registry AuthenticationAzureGuide
SupportedImage Reflector ControllerContainer Registry AuthenticationGCPGuide
SupportedKustomize ControllerSOPS Integration with Cloud KMSAWSGuide
SupportedKustomize ControllerSOPS Integration with Cloud KMSAzureGuide
SupportedKustomize ControllerSOPS Integration with Cloud KMSGCPGuide


Support for context-based authorization should only increase over time.

For more information, please visit the tracking issue: