Skip to content

Managed Public Cloud

This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:

  • Amazon Web Services (AWS)
  • Microsoft Azure
  • Google Cloud Platform (GCP)


The following cloud-managed services must be provisioned before proceeding:



  1. The PostgreSQL instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
  2. The PostgreSQL instance is accepting connections.


  1. The Elasticsearch instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
  2. The Elasticsearch instance is accepting connections.

Pull the Immuta Enterprise Helm chart

  1. Navigate to the Immuta releases page to obtain the Kubernetes Helm Installation Credentials to authenticate with Immuta's Helm registry.
  2. Copy the snippet below and replace the placeholder text with the credentials you obtained in the previous step to add the Helm repository:

    echo <token> | helm repo add --username <username> --password-stdin immuta

    --pass-credentials flag

    If you encounter an unauthorized error when adding the Immuta Enterprise Helm chart (IEHC), run helm repo add --pass-credentials.

    Usernames and passwords are only passed to the URL location of the Helm repository by default. The username and password are scoped to the scheme, host, and port of the Helm repository. To pass the username and password to other domains Helm may encounter when it goes to retrieve a chart, the new --pass-credentials flag can be used. This flag restores the old behavior for a single repository as an opt-in behavior.

    If you use a username and password for a Helm repository, you can audit the Helm repository in order to check for another domain that could have received the credentials. In the index.yaml file for that repository, look for another domain in the URL's list for the chart versions. If there is another domain found and that chart version is pulled or installed, the credentials will be passed on.

  3. Run the commands below to pull the latest Immuta Enterprise Helm chart or a specific version of the Immuta Enterprise Helm chart:

    • Latest chart:

      helm pull immuta/immuta-enterprise
    • Specific version:

      helm pull immuta/immuta-enterprise --version 2024.2.1


  1. Create a Kubernetes namespace named immuta for Immuta.

    kubectl create namespace immuta
  2. Switch to namespace immuta.

    kubectl config set-context --current --namespace=immuta
  3. Create a container registry pull secret.

    Registry credentials

    Navigate to to obtain credentials used to authenticate with Immuta's container registry.

    kubectl create secret docker-registry immuta-registry \
        --docker-server= \
        --docker-username="<username>" \
        --docker-password="<token>" \


  1. Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster.

    Connecting to the database

    There are numerous ways to connect to a PostgreSQL database. This step demonstrates how to connect by creating an ephemeral Kubernetes pod.

    Interactive shell

    A shell prompt will not be displayed after executing the kubectl run command outlined below. Wait 5 seconds, and then proceed by entering a password.

    kubectl run pgclient \
        --stdin \
        --tty \
        --rm \
        --image -- \
        psql --host <postgres-fqdn> --username postgres --port 5432 --password
  2. Create an immuta role and database.

    CREATE ROLE immuta with login encrypted password '<postgres-password>';
    CREATE DATABASE immuta OWNER immuta;
    GRANT all ON DATABASE immuta TO immuta;
    ALTER ROLE immuta SET search_path TO bometadata,public;
  3. Revoke privileges from CURRENT_USER as they're no longer required.

  4. Enable the pgcrypto extension.

    \c immuta
    CREATE EXTENSION pgcrypto;
  5. Type \q, and then press Enter to exit.

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

  1. Create a Helm values file named immuta-values.yaml with the following content:

        - name: immuta-registry
        databaseConnectionString: postgres://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit
        elasticsearchEndpoint: <elasticsearch-endpoint>
        elasticsearchUsername: <elasticsearch-username>
        elasticsearchPassword: <elasticsearch-password>
        enabled: false
        - name: FeatureFlag_AuditService
          value: "true"
        - name: FeatureFlag_detect
          value: "true"
        - name: FeatureFlag_auditLegacyViewHide
          value: "true"
        tls: false
        host: <postgres-fqdn>
        port: 5432
        database: immuta
        username: immuta
        password: <postgres-password>
        ssl: true
  2. Update all placeholder values in the immuta-values.yaml file.

  3. Deploy Immuta.

    helm install immuta immuta/immuta-enterprise \
        --values immuta-values.yaml


  1. Wait for all pods in the namespace to become ready.

    kubectl wait --for=condition=Ready pods --all
  2. Determine the name of the Secure service.

    kubectl get service --selector "" --output template='{{ }}'
  3. Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.

    kubectl port-forward service/<name> 8080:http

Next steps