Each cloud provider uses a credentials root secret in the kube-system
namespace by convention, which is then used to satisfy all credentials requests
and create their respective secrets.
This is done either by minting new credentials with mint mode, or by copying the credentials root secret with passthrough mode.
The format for the secret varies by cloud, and is also used for each
CredentialsRequest secret.
Amazon Web Services (AWS) secret format
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: aws-creds
stringData:
aws_access_key_id: <base64-encoded_access_key_id>
aws_secret_access_key: <base64-encoded_secret_access_key>Google Cloud Platform (GCP) secret format
apiVersion: v1
kind: Secret
metadata:
namespace: kube-system
name: gcp-credentials
stringData:
service_account.json: <base64-encoded_service_account>