BYOC - AWS Account Access

With BYOC, you can grant access to your cloud accounts to allow StreamNative's automated systems to provison and manage clusters in your AWS account.

This document outlines the process for granting this access to StreamNative Cloud for AWS accounts.

Access model in AWS

StreamNative's Cloud service is designed to use AWS's advanced IAM features to minimize access, allowing StreamNative to manage only the required resources. StreamNative's service also implements AWS best practices to ensure proper security. To achieve this, StreamNative separates access to the customer account into two different IAM roles:

Bootstrap/Provisioning role - This role is used to provision and maintain the underlying infrastructure, such as VPCs, EKS clusters (and associated node groups, etc), and IAM resources. It is also used by the StreamNative SRE team for troubleshooting during incidents.
Management role - This role is not only used for automated management tasks and has minimal permissions to AWS infrastructure (primarily read-only) but is also used for interacting with the EKS cluster for deploying and maintaining clusters. Both roles have the same permission policy, which allows StreamNative's cloud-manager role the ability to assume these roles in the customer's account.

These roles have custom IAM policies maintained by StreamNative and use the following AWS features to secure and limit access:

An external-ID is used when assuming the customer role. See AWS's documentation on using third-party access.
A permission boundary is used to limit the permissions of dynamically created roles. See AWS's documentation for more details.
Policies are limited only to the required AWS services, actions, and resources within those services wherever possible.
Tag-based access, through the Vendor: StreamNative tag, is used where applicable to enforce resources that are created with these tags and access is limited to only resources with the tag. See AWS docs on tag-based access control
All IAM policies are statically created by the customer (via automation) to limit access.

Customers provision these roles and policies using StreamNative-provided automation. Currently, this automation is in the form of a Terraform module. The following diagram illustrates AWS access.

image of BYOC AWS Access

Provisioning AWS Access

StreamNative provides all the policies and roles via a Terraform

. This module can be provisioned in a standalone Terraform project (as documented here), but can also be integrated into existing Terraform projects.

For full documentation of inputs and outputs of the Terraform module, see the module README on GitHub.

Prerequisites

New to Terraform? Learn the Terraform AWS Getting Started Tutorial to get a basic introduction.
Install Terraform, version 1.3.0 or greater.
Ensure you have created an organization via the StreamNative Cloud Console.
If you want to use a custom domain, you need your route53 zone ID.

If you run into issues, please contact StreamNative Support team.

Step 1: Create a new project and instantiate the module

Terraform works by having Terraform codes (in the form of *.tf files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf with the following content, replacing the variables referenced.

provider "aws" {
  region = <YOUR_REGION>
}

module "sn_managed_cloud" {
  source = "github.com/streamnative/terraform-managed-cloud//modules/aws?ref=v3.0.0"

  external_id             = "<YOUR_SNCLOUD_ORG_ID>"
  hosted_zone_allowed_ids = [ "<YOUR_R3_HOSTED_ZONE_IDs | *>" ]
  region                  = "*"

}

<YOUR_REGION> - Replace the region you want to connect to. This is required by Terraform. However, because this is only to create IAM resources, the specific region is not important.
<YOUR_SNCLOUD_ORG_ID> - Replace with the ID from your SN Cloud organization. This is typically an ID like o-xxxxx. This can be found in your organization list or the top header of the application.
<YOUR_R3_HOSTED_ZONE_IDs> - Replace with the zone ID for your custom domain or * if using StreamNative managed DNS (NOTE: this can later be replaced with the StreamNative managed domain).
The region argument can be set to specific AWS regions if you would like to limit what regions StreamNative can deploy clusters to. In most cases, it is recommended to leave this as a wildcard.

If you are using git as source control, you might need to use the git init command to initialize this folder as a git project.

Step 2: Initialize the Terraform

While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project.

To do so, run terraform init.

This will download the module and required dependencies.

Step 3: Create a shell with the correct AWS credentials

Terraform requires AWS credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all AWS IAM permissions, specifically to managed roles, policies, and attachments. The AWS Managed Access policies of IAMFullAccess are sufficient to perform these operations.

All of the Terraform AWS credentials mechanisms are compatible with the Terraform module.

If you are new to Terraform and AWS, the following steps will provide credentials in your shell:

Follow the steps to create an access key and secret for your user.
Set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION environment variables from the generated credentials.

Step 4: Run the Terraform

After initialization, and with credentials in the shell, the next step is to run the Terraform with terraform apply.

This will create a Terraform plan which shows all the resources to be created. To see an example plan, see the example plan in the GitHub readme.

Step 5: Provide the account ID to StreamNative

Once completed, provide the account ID to your CSM or support representative.