From 1bd5a5211b262275669f9ace55b2331e5acb42f7 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 20 Dec 2024 11:50:12 -0800 Subject: [PATCH] docs: enable AWS STS (#5101) * docs: create partial * docs: fix gitleak * docs: DOC-1528 (#5084) * docs: slack notification for release to production (gh-action) (#5083) * docs: slack notif draft for release gh-action * docs: amend slack notif description * docs: add slack notification for all jobs in release * docs: try ubuntu as runs-on * docs: set runs-on tags back * docs: fix URL formatting for slack notif * docs: remove test failure step * docs: add current step failure logic * docs: fix indentation * docs: add some step failures * docs: remove force failure * Apply suggestions from code review Co-authored-by: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com> --------- Co-authored-by: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com> * docs: add backlinks * docs: copy edits * docs: copy edit * Apply suggestions from code review Co-authored-by: Adelina Simion <43963729+addetz@users.noreply.github.com> * ci: auto-formatting prettier issues * docs: DOC-1518: Getting Started cleanup (#5042) * Initial Getting Started cleanup * Updates to Deploy Cluster Profile page * Minor parallel fix and package.json output update for deploy custom add-on pack tutorial * Updates to scale cluster section * Copying certain AWS changes over to other provider tutorials * Updated filter image for Azure clusters * ci: auto-formatting prettier issues * Optimised images with calibre/image-actions * Fixed ableism with see * ci: auto-formatting prettier issues --------- Co-authored-by: achuribooks Co-authored-by: vault-token-factory-spectrocloud[bot] <133815545+vault-token-factory-spectrocloud[bot]@users.noreply.github.com> * chore: upgrade docusaurus-theme-openapi-docs plugin (#5111) * chore: upgrade docusaurus-theme-openapi-docs plugin * docs: trigger visual tests * docs: DOC-1529: Add PCP-3592 to release notes (#5103) * Add PCP-3592 to release notes * Minor correction --------- Co-authored-by: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com> Co-authored-by: Ben Radstone <56587332+benradstone@users.noreply.github.com> Co-authored-by: Adelina Simion <43963729+addetz@users.noreply.github.com> Co-authored-by: lennessyy Co-authored-by: Amanda Churi Filanowski Co-authored-by: achuribooks Co-authored-by: vault-token-factory-spectrocloud[bot] <133815545+vault-token-factory-spectrocloud[bot]@users.noreply.github.com> Co-authored-by: caroldelwing (cherry picked from commit 3ddd13a704df7cf64c55dea3a4d54a531402ea7a) --- _partials/self-hosted/_aws-sts-config.mdx | 96 +++++++++++++++++++ .../add-backup-location-dynamic.md | 18 ++-- .../public-cloud/aws/add-aws-accounts.md | 40 ++++---- .../configure-aws-sts-account.md | 12 +++ .../configure-aws-sts-account.md | 12 +++ 5 files changed, 154 insertions(+), 24 deletions(-) create mode 100644 _partials/self-hosted/_aws-sts-config.mdx create mode 100644 docs/docs-content/enterprise-version/system-management/configure-aws-sts-account.md create mode 100644 docs/docs-content/vertex/system-management/configure-aws-sts-account.md diff --git a/_partials/self-hosted/_aws-sts-config.mdx b/_partials/self-hosted/_aws-sts-config.mdx new file mode 100644 index 0000000000..763cf5f8c1 --- /dev/null +++ b/_partials/self-hosted/_aws-sts-config.mdx @@ -0,0 +1,96 @@ +--- +partial_category: self-hosted +partial_name: sts-config +--- + +{props.edition} allows tenants to use AWS Secret Token Service (STS) to add AWS cloud accounts to their {props.edition} environment. +In order to do this, {props.edition} relies on another AWS cloud account that is configured on the {props.edition} instance +to assume a custom role created on the tenant's AWS account. + +This custom role establishes a trust relationship between the tenant's AWS account and the AWS account bound to the {props.edition} instance. +It allows the {props.edition}-bound AWS account to receive temporary credentials from the tenant's AWS account to deploy infrastructure in AWS using STS. For more information on how to add an AWS cloud account to a tenant using STS, refer to the guide. + +You must configure your {props.edition} instance with an STS AWS account before your tenants can add AWS cloud accounts +to deploy clusters in AWS using STS. Without this configuration, the STS option will be greyed out when your tenants try to add an AWS account. + +## Prerequisites + +- Access to the {props.edition} system console. + +- The role of Root Administrator or Account Administrator. + +- An AWS IAM user that is allowed to assume cross-account IAM roles. + +## Enable Adding AWS Accounts Using STS + +1. Open a terminal session. + +2. Log in to the {props.edition} System API by using the `/v1/auth/syslogin` endpoint. + Use the curl command below and replace the `example.com` placeholder URL with the URL of your {props.edition} instance. + Ensure you replace the credentials below with your system console credentials. + + ```shell + TOKEN=$(curl --insecure --location 'https://example.com/v1/auth/syslogin' \ + --header 'Content-Type: application/json' \ + --data '{ + "password": "**********", + "username": "**********" + }') + ``` + +3. Next, prepare a payload for the AWS account you want to configure. + Use the following JSON payload as a template and replace the `accessKey`, `secretKey`, and `accountId` fields with the AWS access key, secret key, and account ID of your AWS account. + + ```json + CONFIG_JSON=$(cat < + + + + ```bash + curl --request POST \ + --url https:///v1/system/config/aws/account \ + --header 'Authorization: $TOKEN' \ + --data '$CONFIG_JSON' + ``` + + + + + + ```bash + curl --request POST \ + --url https:///v1/system/config/awsgov/sts/account \ + --header 'Authorization: $TOKEN' \ + --data '$CONFIG_JSON' + ``` + + + + + + +## Validate + +Issue the following command to make an API call that confirms that the credentials were configured successfully. + +```bash +curl --request POST \ + --url https:///v1/system/config/aws/account \ + --header 'Authorization: $TOKEN' +``` + +If you receive a response that contains the payload you configured, the configuration was successful. diff --git a/docs/docs-content/clusters/cluster-management/backup-restore/add-backup-location-dynamic.md b/docs/docs-content/clusters/cluster-management/backup-restore/add-backup-location-dynamic.md index d57621fb67..28918e3d72 100644 --- a/docs/docs-content/clusters/cluster-management/backup-restore/add-backup-location-dynamic.md +++ b/docs/docs-content/clusters/cluster-management/backup-restore/add-backup-location-dynamic.md @@ -20,8 +20,6 @@ To support dynamic credentials with AWS, Palette uses the AWS Security Token Ser can use AWS STS when adding an S3 bucket as the backup location. The following sections outline the prerequisites and provide detailed steps to add an S3 bucket as the backup location using the STS authentication method. -
- :::warning Palette supports AWS STS only when your Paletteā€™s hosting environment and the backup location service provider are the @@ -46,6 +44,11 @@ cloud account. ### Prerequisites +- If you are using a self-hosted Palette or Vertex instance, you must configure an AWS account at the instance-level to + allow tenants to add AWS accounts using STS. For more information, refer to + [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) + or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) + - Both your Palette environment instance and the S3 bucket are hosted on AWS. This prerequisite is more applicable to self-hosted Palette and Palette VerteX customers. Palette SaaS in hosted in an AWS environment. @@ -114,8 +117,6 @@ cloud account. ::: -
- ### Instructions 1. Log in to [Palette](https://console.spectrocloud.com/). @@ -194,8 +195,6 @@ AWS STS to authenticate Palette with the S3 bucket in the same AWS account you d 4. Search for the newly added backup location in the list. The presence of the backup location validates that you successfully added a new backup location. -
- ## Multiple Cloud Accounts with AWS STS Suppose your Kubernetes cluster is deployed in _AWS Account A_, and you want to create the backup in _AWS Account B_, @@ -220,10 +219,13 @@ A multi-cloud account scenario requires you to perform the following authenticat Use the following steps to add an S3 bucket as the backup location using the STS authentication method when you have multiple cloud accounts. -
- ### Prerequisites +- If you are using a self-hosted Palette or Vertex instance, you must configure an AWS account at the instance-level to + allow tenants to add AWS accounts using STS. For more information, refer to + [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) + or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) + - Both your Palette environment instance and the S3 bucket are hosted on AWS. This prerequisite is more applicable to self-hosted Palette and Palette VerteX customers. Palette SaaS is hosted in an AWS environment. diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index 675e16ebb1..3a4241f78a 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -49,6 +49,10 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST #### Prerequisites +- If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level + to allow tenants to add AWS accounts using STS. For more information, refer to + [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) + or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) - An AWS account. - Sufficient access to create an IAM role or IAM user. - Palette IAM policies. Review the [Required IAM Policies](required-iam-policies.md) section for guidance. @@ -70,14 +74,14 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST 5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**. - | **Parameter** | **Description** | - | ----------------------- | ------------------------------------------------ | - | **Trusted Entity Type** | Another AWS account | - | **Account ID** | Copy the Account ID displayed on the UI | - | **Require External ID** | Enable | - | **External ID** | Copy the External ID displayed on the UI | - | **Permissions Policy** | Search and select the 4 policies added in step 2 | - | **Role Name** | SpectroCloudRole | + | **Parameter** | **Description** | + | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Trusted Entity Type** | Another AWS account. | + | **Account ID** | Copy the Account ID displayed on the UI. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or VerteX instance to enable STS. | + | **Require External ID** | Enable. | + | **External ID** | Copy the External ID displayed on the UI. This ID is generated by Palette or VerteX and is different per tenant. | + | **Permissions Policy** | Search and select the 4 policies added in step 2. | + | **Role Name** | SpectroCloudRole. | 6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help. @@ -161,6 +165,10 @@ Use the steps below to add an AWS cloud account using STS credentials. #### Prerequisites +- If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level + to allow tenants to add AWS accounts using STS. For more information, refer to + [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) + or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) - An AWS account - Sufficient access to create an IAM role or IAM user. - Palette IAM policies. Please review the [Required IAM Policies](required-iam-policies.md) section for guidance. @@ -182,14 +190,14 @@ Use the steps below to add an AWS cloud account using STS credentials. 5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**. - | **Parameter** | **Description** | - | ----------------------- | ------------------------------------------------- | - | **Trusted Entity Type** | Another AWS account | - | **Account ID** | Copy the Account ID displayed on the UI | - | **Require External ID** | Enable | - | **External ID** | Copy the External ID displayed on the UI | - | **Permissions Policy** | Search and select the 4 policies added in step #2 | - | **Role Name** | SpectroCloudRole | + | **Parameter** | **Description** | + | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Trusted Entity Type** | Another AWS account. | + | **Account ID** | Copy the Account ID displayed on the UI. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or VerteX instance to enable STS. | + | **Require External ID** | Enable. | + | **External ID** | Copy the External ID displayed on the UI. This ID is generated by Palette or VerteX and is different per tenant. | + | **Permissions Policy** | Search and select the 4 policies added in step #2. | + | **Role Name** | SpectroCloudRole. | 6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help. diff --git a/docs/docs-content/enterprise-version/system-management/configure-aws-sts-account.md b/docs/docs-content/enterprise-version/system-management/configure-aws-sts-account.md new file mode 100644 index 0000000000..288ecd76b5 --- /dev/null +++ b/docs/docs-content/enterprise-version/system-management/configure-aws-sts-account.md @@ -0,0 +1,12 @@ +--- +sidebar_label: "Enable Adding AWS Accounts Using STS " +title: "Enable Adding AWS Accounts Using STS " +description: "This page teaches you how to allow tenants to add AWS accounts using STS." +icon: "" +hide_table_of_contents: false +sidebar_position: 20 +tags: ["palette", "management", "account", "credentials"] +keywords: ["self-hosted", "palette"] +--- + + diff --git a/docs/docs-content/vertex/system-management/configure-aws-sts-account.md b/docs/docs-content/vertex/system-management/configure-aws-sts-account.md new file mode 100644 index 0000000000..8ac1ff8a60 --- /dev/null +++ b/docs/docs-content/vertex/system-management/configure-aws-sts-account.md @@ -0,0 +1,12 @@ +--- +sidebar_label: "Enable Adding AWS Accounts Using STS" +title: "Enable Adding AWS Accounts Using STS " +description: "This page teaches you how to allow tenants to add AWS accounts using STS." +icon: "" +hide_table_of_contents: false +sidebar_position: 20 +tags: ["palette", "management", "account", "credentials"] +keywords: ["self-hosted", "vertex"] +--- + +