BYOC - Set up Azure Account Access

Note

This feature is currently in private preview. If you want to try it out or have any questions, submit a ticket to the support team.

With BYOC, you can grant access to your cloud accounts to allow StreamNative's automated systems to provison and manage clusters in your Azure subscription.

This document outlines the process for granting this access to StreamNative Cloud for Azure accounts and subscriptions.

Access model in Azure

StreamNative's Cloud service is designed to use Azure's user-assigned managed identities features to minimize access, allowing StreamNative to manage only the required resources. StreamNative's Cloud service also implements Azure best practices to ensure proper security. To achieve this, StreamNative separates access to the customer account into two different user-assigned managed identities:

Bootstrap/Provisioning identity - This identity is used to provision and maintain the underlying infrastructure, such as VPCs, AKS clusters (and associated node groups, and so on), and IAM resources. This identity is configed with federated identity credential to StreamNative's cloud-manager GSA.
Supporting identity - This identity is used for StreamNative SRE team for troubleshooting during incidents and has minimal permissions to Azure resource group (primarily read-only). This identity is configed with federated identity credential to StreamNative's cloud-support GSAs.

These identities have custom IAM policies maintained by StreamNative and use the following Azure features to secure and limit access:

A resource group is used to limit the scope of the managed identity to only the resources within the resource group.
A resource group is used for the AKS and other resources for the BYOC cluster.
An orgnazation specificed audience is used when exchange the GSA token to the customer identity. See Azure's documentation on Overview of federated identity credentials in Microsoft Entra ID.
Different permissions are used for different identities to ensure that the least privilege principle is followed. The following permissions are used for the identities:
- Contributor role limited to scope of the AKS resource group for the Bootstrap/Provisioning identity.
- Azure Kubernetes Service Cluster Admin Role limited to scope of the AKS resource group for the Bootstrap/Provisioning identity.
- Role Based Access Control Administrator role limited to scope of the AKS resource group for the Bootstrap/Provisioning identity with conditional role assignment, which limited to the following Azure roles:
- Azure Kubernetes Service Cluster User Role limited to scope of the AKS resource group for the Supporting identity.
All resource groups and IAM permissions are statically created by the customer (via automation) to limit access.

You can provision these resource groups and identities using StreamNative-provided automation. Currently, this automation is in the form of a Terraform module.

Provision Azure Access

StreamNative provides all the resource groups and identities via a

module. This module can be provisioned in a standalone Terraform project (as documented here), but can also be integrated into existing Terraform projects.

For full documentation of inputs and outputs of the Terraform module, see the module's README on GitHub.

Prerequisites

New to Terraform? Learn the Terraform Azure Getting Started Tutorial to get a basic introduction.
Install Terraform, version 1.3.0 or greater.
Ensure you have created an organization through the StreamNative Cloud Console.

If you run into issues, please contact StreamNative Support team.

Step 1: Create a new project and instantiate the module

Terraform works by having Terraform codes (in the form of *.tf files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf with the following content, replacing the referenced variables.

provider "azurerm" {
  features {
  }
}

provider "azuread" {}

module "azure-sn-cloud-manager" {
  source = "github.com/streamnative/terraform-managed-cloud//modules/azure/sn-cloud-manager?ref=v3.11.1"

  streamnative_cloud_env = "production"
  resource_group_location = "<YOUR_DESIRED_AZURE_REGION>"
  streamnative_org_id = "<YOUR_SNCLOUD_ORG_ID>"
}

module "azure-managed-cloud" {
  source = "github.com/streamnative/terraform-managed-cloud//modules/azure/vendor-access?ref=v3.11.1"

  resource_group_name     = "<YOUR_AKS_CLUSTER_RESOURCE_GROUP_NAME>"
  resource_group_location = module.azure-sn-cloud-manager.resource_group_location

  streamnative_org_id = module.azure-sn-cloud-manager.streamnative_org_id

  sn_automation_principal_id = module.azure-sn-cloud-manager.sn_automation_principal_id
  sn_support_principal_id = module.azure-sn-cloud-manager.sn_support_principal_id
  sn_automation_client_id = module.azure-sn-cloud-manager.sn_automation_client_id
  sn_support_client_id = module.azure-sn-cloud-manager.sn_support_client_id

  depends_on = [
    module.azure-sn-cloud-manager
  ]
}

output "additional_roles" {
  value       = module.azure-managed-cloud.additional_roles
  description = "The additional roles created by this module"
}

output "resource_group_name" {
  value       = module.azure-managed-cloud.resource_group_name
  description = "The name of the resource group where the AKS cluster will be created"
}

output "streamnative_org_id" {
  value       = module.azure-managed-cloud.streamnative_org_id
  description = "An external ID that corresponds to your Organization within StreamNative Cloud, used for all managed identities created by the module. This will be the organization ID in the StreamNative console, e.g. \"o-xhopj\"."
}

output "sn_support_principal_id" {
  value       = module.azure-managed-cloud.sn_support_principal_id
  description = "The principal ID of the sn support service principal for StreamNative Cloud support access"
}

output "sn_automation_principal_id" {
  value       = module.azure-managed-cloud.sn_automation_principal_id
  description = "The principal ID of the sn automation service principal for StreamNative Cloud automation"
}

output "sn_automation_client_id" {
  value       = module.azure-managed-cloud.sn_automation_client_id
  description = "The client ID of the sn automation service principal for StreamNative Cloud automation"
}

output "sn_support_client_id" {
  value       = module.azure-managed-cloud.sn_support_client_id
  description = "The client ID of the sn support service principal for StreamNative Cloud support access"
}

output "subscription_id" {
  value       = module.azure-managed-cloud.subscription_id
  description = "The subscription ID of the AKS cluster"
}

output "tenant_id" {
  value       = module.azure-managed-cloud.tenant_id
  description = "The tenant ID of the AKS cluster"
}

<YOUR_SNCLOUD_ORG_ID>: your StreamNative Cloud organization ID. This is typically an ID like o-xxxxx. This can be found in your organization list or the top header of the application.
<YOUR_DESIRED_AZURE_REGION>: the Azure region where you want to create the resources. This should be a valid Azure region, such as eastus or westus2.
<YOUR_AKS_CLUSTER_RESOURCE_GROUP_NAME>: the name of the resource group where the AKS cluster will be created. This should be a unique name within your Azure subscription.

If you are using git as source control, you need to use the git init command to initialize this folder as a git project.

Step 2: Initialize the Terraform

While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project.

To do so, run terraform init.

This will download the module and required dependencies.

Step 3: Create a shell with the correct Azure credentials

Terraform requires Azure credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all Azure subscription permissions, specifically to manage the resource groups, manage the custom roles, and manage the user-assigned managed identities. The Azure built-in role of Contributor to the Azure subscription are sufficient to perform these operations.

All of the methods in Authenticating to Azure are compatible with the Terraform module. The most common method is to use the az CLI to log in and set the credentials in the shell. You can check the Azure CLI for detailed instructions.

Step 4: Run the Terraform

After initialization, and with credentials in the shell, the next step is to run the Terraform with terraform apply.

This will create a Terraform plan which shows all the resources to be created. To see an example plan, see the example plan in the GitHub readme.

Step 5: Provide the output to StreamNative

Once completed, provide the output of the terraform apply to your CSM or support representative.