- Manage StreamNative Clusters
- Manage BYOC Infrastructure
- Grant Vendor Access
- BYOC on Azure
Set up Account Access for BYOC on Azure
Note
This feature is currently in private preview. If you want to try it out or have any questions, submit a ticket to the support team.
Before you can provision a BYOC infrastructure pool, you will need to authorize the StreamNative Cloud control plane to access your cloud accounts. This enables StreamNative to provision and manage clusters within your Azure account.
This document outlines the procedure for granting this access to StreamNative Cloud for Azure accounts and subscriptions.
Access model in Azure
StreamNative Cloud leverages Azure's user-assigned managed identities to minimize access while managing only the required resources effectively. The service adheres to Azure best practices to ensure robust security. Access is divided into two specific user-assigned managed identities:
- Bootstrap/Provisioning identity: This identity handles provisioning and maintaining core infrastructure components like VPCs, AKS clusters (and associated node groups, and so on), IAM resources, and more. It is configured with a federated identity credential linked to StreamNative's cloud-manager GSA.
- Supporting identity: Used by the StreamNative SRE team for troubleshooting during incidents, this identity has minimal permissions limited to the Azure resource group (primarily read-only). It is also configured with a federated identity credential connected to StreamNative's cloud-support GSAs.
These identities utilize custom IAM policies that leverage several Azure features to enhance security and restrict access:
- A resource group is used to limit the scope of the managed identity to only the resources within the resource group.
- A resource group is used for the AKS and other resources for the BYOC cluster.
- An orgnazation specificed audience is used when exchange the GSA token to the customer identity. See Azure's documentation on Overview of federated identity credentials in Microsoft Entra ID.
- Different permissions are used for different identities to ensure that the least privilege principle is followed. The following permissions are used for the identities:
- Contributor role limited to scope of the AKS resource group for the Bootstrap/Provisioning identity.
- Azure Kubernetes Service Cluster Admin Role limited to scope of the AKS resource group for the Bootstrap/Provisioning identity.
- Role Based Access Control Administrator role limited to scope of the AKS resource group for the Bootstrap/Provisioning identity with conditional role assignment, which limited to the following Azure roles:
- Azure Kubernetes Service Cluster User Role limited to scope of the AKS resource group for the Supporting identity.
- All resource groups and IAM permissions are statically created by the customer (via automation) to limit access.
You can provision these resource groups and identities using StreamNative-provided automation. Currently, this automation is in the form of a Terraform module.
Provision Azure Access
StreamNative provides all the resource groups and identities via a
For full documentation of inputs and outputs of the Terraform module, see the module's README on GitHub.
Prerequisites
- New to Terraform? Learn the Terraform Azure Getting Started Tutorial to get a basic introduction.
- Install Terraform, version 1.3.0 or greater.
- Ensure you have created an organization through the StreamNative Cloud Console.
If you run into issues, please contact StreamNative Support team.
Step 1: Create a new project and instantiate the module
Terraform works by having Terraform codes (in the form of *.tf
files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf
with the following content, replacing the referenced variables.
provider "azurerm" {
features {
}
}
provider "azuread" {}
module "azure-sn-cloud-manager" {
source = "github.com/streamnative/terraform-managed-cloud//modules/azure/sn-cloud-manager?ref=v3.11.1"
streamnative_cloud_env = "production"
resource_group_location = "<YOUR_DESIRED_AZURE_REGION>"
streamnative_org_id = "<YOUR_SNCLOUD_ORG_ID>"
}
module "azure-managed-cloud" {
source = "github.com/streamnative/terraform-managed-cloud//modules/azure/vendor-access?ref=v3.11.1"
resource_group_name = "<YOUR_AKS_CLUSTER_RESOURCE_GROUP_NAME>"
resource_group_location = module.azure-sn-cloud-manager.resource_group_location
streamnative_org_id = module.azure-sn-cloud-manager.streamnative_org_id
sn_automation_principal_id = module.azure-sn-cloud-manager.sn_automation_principal_id
sn_support_principal_id = module.azure-sn-cloud-manager.sn_support_principal_id
sn_automation_client_id = module.azure-sn-cloud-manager.sn_automation_client_id
sn_support_client_id = module.azure-sn-cloud-manager.sn_support_client_id
depends_on = [
module.azure-sn-cloud-manager
]
}
output "additional_roles" {
value = module.azure-managed-cloud.additional_roles
description = "The additional roles created by this module"
}
output "resource_group_name" {
value = module.azure-managed-cloud.resource_group_name
description = "The name of the resource group where the AKS cluster will be created"
}
output "streamnative_org_id" {
value = module.azure-managed-cloud.streamnative_org_id
description = "An external ID that corresponds to your Organization within StreamNative Cloud, used for all managed identities created by the module. This will be the organization ID in the StreamNative console, e.g. \"o-xhopj\"."
}
output "sn_support_principal_id" {
value = module.azure-managed-cloud.sn_support_principal_id
description = "The principal ID of the sn support service principal for StreamNative Cloud support access"
}
output "sn_automation_principal_id" {
value = module.azure-managed-cloud.sn_automation_principal_id
description = "The principal ID of the sn automation service principal for StreamNative Cloud automation"
}
output "sn_automation_client_id" {
value = module.azure-managed-cloud.sn_automation_client_id
description = "The client ID of the sn automation service principal for StreamNative Cloud automation"
}
output "sn_support_client_id" {
value = module.azure-managed-cloud.sn_support_client_id
description = "The client ID of the sn support service principal for StreamNative Cloud support access"
}
output "subscription_id" {
value = module.azure-managed-cloud.subscription_id
description = "The subscription ID of the AKS cluster"
}
output "tenant_id" {
value = module.azure-managed-cloud.tenant_id
description = "The tenant ID of the AKS cluster"
}
<YOUR_SNCLOUD_ORG_ID>
: your StreamNative Cloud organization ID. This is typically an ID likeo-xxxxx
. This can be found in your organization list or the top header of the application.<YOUR_DESIRED_AZURE_REGION>
: the Azure region where you want to create the resources. This should be a valid Azure region, such aseastus
orwestus2
.<YOUR_AKS_CLUSTER_RESOURCE_GROUP_NAME>
: the name of the resource group where the AKS cluster will be created. This should be a unique name within your Azure subscription.
If you are using git
as source control, you need to use the git init
command to initialize this folder as a git project.
Step 2: Initialize the Terraform
While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project.
To do so, run terraform init
.
This will download the module and required dependencies.
Step 3: Create a shell with the correct Azure credentials
Terraform requires Azure credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all Azure subscription permissions, specifically to manage the resource groups, manage the custom roles, and manage the user-assigned managed identities. The Azure built-in role of Contributor
to the Azure subscription are sufficient to perform these operations.
All of the methods in Authenticating to Azure are compatible with the Terraform module. The most common method is to use the az
CLI to log in and set the credentials in the shell. You can check the Azure CLI for detailed instructions.
Step 4: Run the Terraform
After initialization, and with credentials in the shell, the next step is to run the Terraform with terraform apply
.
This will create a Terraform plan which shows all the resources to be created. To see an example plan, see the example plan in the GitHub readme.
Step 5: Provide the output to StreamNative
Once completed, provide the output of the terraform apply
to your CSM or support representative.
Next steps
After granting access, you can set up a Cloud Connection to allow the StreamNative Cloud control plane to interact with your Azure account.