- StreamNative Managed Cloud
- BYOC
BYOC - AWS Account Access
With BYOC, you can grant access to your cloud accounts to allow StreamNative's automated systems to provison and manage clusters in your AWS account.
This document outlines the process for granting this access to StreamNative Cloud for AWS accounts.
Access model in AWS
StreamNative's Cloud service is designed to use AWS's advanced IAM features to minimize access, allowing StreamNative to manage only the required resources. StreamNative's service also implements AWS best practices to ensure proper security. To achieve this, StreamNative separates access to the customer account into two different IAM roles:
- Bootstrap/Provisioning role - This role is used to provision and maintain the underlying infrastructure, such as VPCs, EKS clusters (and associated node groups, etc), and IAM resources. It is also used by the StreamNative SRE team for troubleshooting during incidents.
- Management role - This role is not only used for automated management tasks and has minimal permissions to AWS infrastructure (primarily read-only) but is also used for interacting with the EKS cluster for deploying and maintaining clusters. Both roles have the same permission policy, which allows StreamNative's cloud-manager role the ability to assume these roles in the customer's account.
These roles have custom IAM policies maintained by StreamNative and use the following AWS features to secure and limit access:
- An external-ID is used when assuming the customer role. See AWS's documentation on using third-party access.
- A permission boundary is used to limit the permissions of dynamically created roles. See AWS's documentation for more details.
- Policies are limited only to the required AWS services, actions, and resources within those services wherever possible.
- Tag-based access, through the
Vendor: StreamNative
tag, is used where applicable to enforce resources that are created with these tags and access is limited to only resources with the tag. See AWS docs on tag-based access control - All IAM policies are statically created by the customer (via automation) to limit access.
Customers provision these roles and policies using StreamNative-provided automation. Currently, this automation is in the form of a Terraform module. The following diagram illustrates AWS access.
Provisioning AWS Access
StreamNative provides all the policies and roles via a Terraform
For full documentation of inputs and outputs of the Terraform module, see the module README on GitHub.
Prerequisites
- New to Terraform? Learn the Terraform AWS Getting Started Tutorial to get a basic introduction.
- Install Terraform, version 1.3.0 or greater.
- Ensure you have created an organization via the StreamNative Cloud Console.
- If you want to use a custom domain, you need your route53 zone ID.
If you run into issues, please contact StreamNative Support team.
Step 1: Create a new project and instantiate the module
Terraform works by having Terraform codes (in the form of *.tf
files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf
with the following content, replacing the variables referenced.
provider "aws" {
region = <YOUR_REGION>
}
module "sn_managed_cloud" {
source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=v3.0.0"
external_id = "<YOUR_SNCLOUD_ORG_ID>"
hosted_zone_allowed_ids = [ "<YOUR_R3_HOSTED_ZONE_IDs | *>" ]
region = "*"
}
<YOUR_REGION>
- Replace the region you want to connect to. This is required by Terraform. However, because this is only to create IAM resources, the specific region is not important.<YOUR_SNCLOUD_ORG_ID>
- Replace with the ID from your SN Cloud organization. This is typically an ID likeo-xxxxx
. This can be found in your organization list or the top header of the application.<YOUR_R3_HOSTED_ZONE_IDs>
- Replace with the zone ID for your custom domain or*
if using StreamNative managed DNS (NOTE: this can later be replaced with the StreamNative managed domain).- The
region
argument can be set to specific AWS regions if you would like to limit what regions StreamNative can deploy clusters to. In most cases, it is recommended to leave this as a wildcard.
If you are using git as source control, you might need to use the git init
command to initialize this folder as a git project.
Step 2: Initialize the Terraform
While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project.
To do so, run terraform init
.
This will download the module and required dependencies.
Step 3: Create a shell with the correct AWS credentials
Terraform requires AWS credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all AWS IAM permissions, specifically to managed roles, policies, and attachments. The AWS Managed Access policies of IAMFullAccess
are sufficient to perform these operations.
All of the Terraform AWS credentials mechanisms are compatible with the Terraform module.
If you are new to Terraform and AWS, the following steps will provide credentials in your shell:
- Follow the steps to create an access key and secret for your user.
- Set the
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_REGION
environment variables from the generated credentials.
Step 4: Run the Terraform
After initialization, and with credentials in the shell, the next step is to run the Terraform with terraform apply
.
This will create a Terraform plan which shows all the resources to be created. To see an example plan, see the example plan in the GitHub readme.
Step 5: Provide the account ID to StreamNative
Once completed, provide the account ID to your CSM or support representative.