Skip to content

Commit

Permalink
docs: enable AWS STS (#5101) (#5128)
Browse files Browse the repository at this point in the history
* docs: create partial

* docs: fix gitleak

* docs: DOC-1528 (#5084)

* docs: slack notification for release to production (gh-action) (#5083)

* docs: slack notif draft for release gh-action

* docs: amend slack notif description

* docs: add slack notification for all jobs in release

* docs: try ubuntu as runs-on

* docs: set runs-on tags back

* docs: fix URL formatting for slack notif

* docs: remove test failure step

* docs: add current step failure logic

* docs: fix indentation

* docs: add some step failures

* docs: remove force failure

* Apply suggestions from code review

Co-authored-by: Karl Cardenas <[email protected]>

---------

Co-authored-by: Karl Cardenas <[email protected]>

* docs: add backlinks

* docs: copy edits

* docs: copy edit

* Apply suggestions from code review

Co-authored-by: Adelina Simion <[email protected]>

* ci: auto-formatting prettier issues

* docs: DOC-1518: Getting Started cleanup (#5042)

* Initial Getting Started cleanup

* Updates to Deploy Cluster Profile page

* Minor parallel fix and package.json output update for deploy custom add-on pack tutorial

* Updates to scale cluster section

* Copying certain AWS changes over to other provider tutorials

* Updated filter image for Azure clusters

* ci: auto-formatting prettier issues

* Optimised images with calibre/image-actions

* Fixed ableism with see

* ci: auto-formatting prettier issues

---------

Co-authored-by: achuribooks <[email protected]>
Co-authored-by: vault-token-factory-spectrocloud[bot] <133815545+vault-token-factory-spectrocloud[bot]@users.noreply.github.com>

* chore: upgrade docusaurus-theme-openapi-docs plugin (#5111)

* chore: upgrade docusaurus-theme-openapi-docs plugin

* docs: trigger visual tests

* docs: DOC-1529: Add PCP-3592 to release notes (#5103)

* Add PCP-3592 to release notes

* Minor correction

---------

Co-authored-by: Karl Cardenas <[email protected]>
Co-authored-by: Ben Radstone <[email protected]>
Co-authored-by: Adelina Simion <[email protected]>
Co-authored-by: lennessyy <[email protected]>
Co-authored-by: Amanda Churi Filanowski <[email protected]>
Co-authored-by: achuribooks <[email protected]>
Co-authored-by: vault-token-factory-spectrocloud[bot] <133815545+vault-token-factory-spectrocloud[bot]@users.noreply.github.com>
Co-authored-by: caroldelwing <[email protected]>
(cherry picked from commit 3ddd13a)

Co-authored-by: Lenny Chen <[email protected]>
  • Loading branch information
1 parent 2628bb6 commit 6218d41
Show file tree
Hide file tree
Showing 5 changed files with 154 additions and 24 deletions.
96 changes: 96 additions & 0 deletions _partials/self-hosted/_aws-sts-config.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
---
partial_category: self-hosted
partial_name: sts-config
---

{props.edition} allows tenants to use AWS Secret Token Service (STS) to add AWS cloud accounts to their {props.edition} environment.
In order to do this, {props.edition} relies on another AWS cloud account that is configured on the {props.edition} instance
to assume a custom role created on the tenant's AWS account.

This custom role establishes a trust relationship between the tenant's AWS account and the AWS account bound to the {props.edition} instance.
It allows the {props.edition}-bound AWS account to receive temporary credentials from the tenant's AWS account to deploy infrastructure in AWS using STS. For more information on how to add an AWS cloud account to a tenant using STS, refer to the <VersionedLink text="Add an AWS Account to Palette" url="/clusters/public-cloud/aws/add-aws-accounts/" /> guide.

You must configure your {props.edition} instance with an STS AWS account before your tenants can add AWS cloud accounts
to deploy clusters in AWS using STS. Without this configuration, the STS option will be greyed out when your tenants try to add an AWS account.

## Prerequisites

- Access to the {props.edition} system console.

- The role of Root Administrator or Account Administrator.

- An AWS IAM user that is allowed to assume cross-account IAM roles.

## Enable Adding AWS Accounts Using STS

1. Open a terminal session.

2. Log in to the {props.edition} System API by using the `/v1/auth/syslogin` endpoint.
Use the curl command below and replace the `example.com` placeholder URL with the URL of your {props.edition} instance.
Ensure you replace the credentials below with your system console credentials.

```shell
TOKEN=$(curl --insecure --location 'https://example.com/v1/auth/syslogin' \
--header 'Content-Type: application/json' \
--data '{
"password": "**********",
"username": "**********"
}')
```

3. Next, prepare a payload for the AWS account you want to configure.
Use the following JSON payload as a template and replace the `accessKey`, `secretKey`, and `accountId` fields with the AWS access key, secret key, and account ID of your AWS account.

```json
CONFIG_JSON=$(cat <<EOF
{
"accessKey": "**********",
"secretKey": "**********",
"accountId": "123456789"
}
EOF
)
```

This avoids exposing sensitive information in the command line.

2. Issue the following command to invoke the {props.edition} API to configure the AWS account to your instance.

<Tabs>

<TabItem value="AWS">

```bash
curl --request POST \
--url https://<palette-api-url>/v1/system/config/aws/account \
--header 'Authorization: $TOKEN' \
--data '$CONFIG_JSON'
```

</TabItem>

<TabItem value="AWS GOV">

```bash
curl --request POST \
--url https://<palette-api-url>/v1/system/config/awsgov/sts/account \
--header 'Authorization: $TOKEN' \
--data '$CONFIG_JSON'
```

</TabItem>

</Tabs>


## Validate

Issue the following command to make an API call that confirms that the credentials were configured successfully.

```bash
curl --request POST \
--url https://<palette-api-url>/v1/system/config/aws/account \
--header 'Authorization: $TOKEN'
```

If you receive a response that contains the payload you configured, the configuration was successful.
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ To support dynamic credentials with AWS, Palette uses the AWS Security Token Ser
can use AWS STS when adding an S3 bucket as the backup location. The following sections outline the prerequisites and
provide detailed steps to add an S3 bucket as the backup location using the STS authentication method.

<br />

:::warning

Palette supports AWS STS only when your Palette’s hosting environment and the backup location service provider are the
Expand All @@ -46,6 +44,11 @@ cloud account.

### Prerequisites

- If you are using a self-hosted Palette or Vertex instance, you must configure an AWS account at the instance-level to
allow tenants to add AWS accounts using STS. For more information, refer to
[Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md)
or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md)

- Both your Palette environment instance and the S3 bucket are hosted on AWS. This prerequisite is more applicable to
self-hosted Palette and Palette VerteX customers. Palette SaaS in hosted in an AWS environment.

Expand Down Expand Up @@ -114,8 +117,6 @@ cloud account.

:::

<br />

### Instructions

1. Log in to [Palette](https://console.spectrocloud.com/).
Expand Down Expand Up @@ -194,8 +195,6 @@ AWS STS to authenticate Palette with the S3 bucket in the same AWS account you d
4. Search for the newly added backup location in the list. The presence of the backup location validates that you
successfully added a new backup location.

<br />

## Multiple Cloud Accounts with AWS STS

Suppose your Kubernetes cluster is deployed in _AWS Account A_, and you want to create the backup in _AWS Account B_,
Expand All @@ -220,10 +219,13 @@ A multi-cloud account scenario requires you to perform the following authenticat
Use the following steps to add an S3 bucket as the backup location using the STS authentication method when you have
multiple cloud accounts.

<br />

### Prerequisites

- If you are using a self-hosted Palette or Vertex instance, you must configure an AWS account at the instance-level to
allow tenants to add AWS accounts using STS. For more information, refer to
[Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md)
or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md)

- Both your Palette environment instance and the S3 bucket are hosted on AWS. This prerequisite is more applicable to
self-hosted Palette and Palette VerteX customers. Palette SaaS is hosted in an AWS environment.

Expand Down
40 changes: 24 additions & 16 deletions docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST

#### Prerequisites

- If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level
to allow tenants to add AWS accounts using STS. For more information, refer to
[Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md)
or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md)
- An AWS account.
- Sufficient access to create an IAM role or IAM user.
- Palette IAM policies. Review the [Required IAM Policies](required-iam-policies.md) section for guidance.
Expand All @@ -70,14 +74,14 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST
5. You will be provided with information on the right side of the wizard. You will need this information to create an
IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**.

| **Parameter** | **Description** |
| ----------------------- | ------------------------------------------------ |
| **Trusted Entity Type** | Another AWS account |
| **Account ID** | Copy the Account ID displayed on the UI |
| **Require External ID** | Enable |
| **External ID** | Copy the External ID displayed on the UI |
| **Permissions Policy** | Search and select the 4 policies added in step 2 |
| **Role Name** | SpectroCloudRole |
| **Parameter** | **Description** |
| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Trusted Entity Type** | Another AWS account. |
| **Account ID** | Copy the Account ID displayed on the UI. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or VerteX instance to enable STS. |
| **Require External ID** | Enable. |
| **External ID** | Copy the External ID displayed on the UI. This ID is generated by Palette or VerteX and is different per tenant. |
| **Permissions Policy** | Search and select the 4 policies added in step 2. |
| **Role Name** | SpectroCloudRole. |

6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help.

Expand Down Expand Up @@ -161,6 +165,10 @@ Use the steps below to add an AWS cloud account using STS credentials.

#### Prerequisites

- If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level
to allow tenants to add AWS accounts using STS. For more information, refer to
[Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md)
or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md)
- An AWS account
- Sufficient access to create an IAM role or IAM user.
- Palette IAM policies. Please review the [Required IAM Policies](required-iam-policies.md) section for guidance.
Expand All @@ -182,14 +190,14 @@ Use the steps below to add an AWS cloud account using STS credentials.
5. You will be provided with information on the right side of the wizard. You will need this information to create an
IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**.

| **Parameter** | **Description** |
| ----------------------- | ------------------------------------------------- |
| **Trusted Entity Type** | Another AWS account |
| **Account ID** | Copy the Account ID displayed on the UI |
| **Require External ID** | Enable |
| **External ID** | Copy the External ID displayed on the UI |
| **Permissions Policy** | Search and select the 4 policies added in step #2 |
| **Role Name** | SpectroCloudRole |
| **Parameter** | **Description** |
| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Trusted Entity Type** | Another AWS account. |
| **Account ID** | Copy the Account ID displayed on the UI. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or VerteX instance to enable STS. |
| **Require External ID** | Enable. |
| **External ID** | Copy the External ID displayed on the UI. This ID is generated by Palette or VerteX and is different per tenant. |
| **Permissions Policy** | Search and select the 4 policies added in step #2. |
| **Role Name** | SpectroCloudRole. |

6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help.

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
sidebar_label: "Enable Adding AWS Accounts Using STS "
title: "Enable Adding AWS Accounts Using STS "
description: "This page teaches you how to allow tenants to add AWS accounts using STS."
icon: ""
hide_table_of_contents: false
sidebar_position: 20
tags: ["palette", "management", "account", "credentials"]
keywords: ["self-hosted", "palette"]
---

<PartialsComponent category="self-hosted" name="sts-config" edition="Palette" />
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
sidebar_label: "Enable Adding AWS Accounts Using STS"
title: "Enable Adding AWS Accounts Using STS "
description: "This page teaches you how to allow tenants to add AWS accounts using STS."
icon: ""
hide_table_of_contents: false
sidebar_position: 20
tags: ["palette", "management", "account", "credentials"]
keywords: ["self-hosted", "vertex"]
---

<PartialsComponent category="self-hosted" name="sts-config" edition="VerteX" />

0 comments on commit 6218d41

Please sign in to comment.