Author: Farooq Ashraf

Tenant data isolation is a core SaaS concept, verifying that tenant resources remain in isolated environments. There are a number of ways to achieve this isolation, and one common approach is to use a token vending machine that issues tenant-scoped credentials at runtime. Explore an alternate approach to vending tokens that uses Amazon EKS and open-source HashiCorp Vault, simplifying access to the credentials and streamlining the overall management of tenant-scoped policies.

Many SaaS providers are leveraging Amazon EKS to build their solutions on AWS, as EKS provides builders with a range of different constructs that can be used to implement multi-tenant strategies. In this post, explore an architecture based on EKS that demonstrates a siloed SaaS deployment model, using Istio Service Mesh to manage request authentication and per-tenant routing. Istio is an open-source service mesh that many SaaS providers use for deploying their multi-tenant applications.