Kubernetes Credentials Management
In order to integrate a vendor-managed Kubernetes cluster into our system, you can either opt o Create a new cluster or Import an existing one. This process involves adding specific credentials based on your vendor.
Supported Credential Types include:
- AWS
- Azure
- Azure Storage
- Cloudflare R2 Storage
- Digital Ocean
- Google Cloud
- Google OAuth
- Hetzner
- Linode
- Rancher
- Scaleway
- Vultr
Visit https://home.appscode.com/user/settings/credentials to manage credential.
AWS
To create or import EKS clusters to Platform Console, you need to create a access-key with the following policies.
- AmazonEC2FullAccess (AWS Managed Policy)
- AWSCloudFormationFullAccess (AWS Managed Policy)
- EKSAllAccess
- IamLimitedAccess
Steps:
- Create user
- Create required policies
- Attach the policies to the user
- Create access key
Details:
- Create user
aws iam create-user --user-name "eks-cluster" - Create policies
- Export AWS Account ID
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) - Create
AmazonEC2FullAccess (AWS Managed Policy)policyecho '{ "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "autoscaling.amazonaws.com", "ec2scheduled.amazonaws.com", "elasticloadbalancing.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com", "transitgateway.amazonaws.com" ] } } } ] }' > ec2-policy.jsonaws iam create-policy --policy-name ec2-policy --policy-document file://ec2-policy.json POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`ec2-policy`].Arn' --output text) aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN - Create
AWSCloudFormationFullAccess (AWS Managed Policy)policyecho '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": "*" } ] }' > cloudformation-policy.jsonaws iam create-policy --policy-name cloudformation-policy --policy-document file://cloudformation-policy.json POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`cloudformation-policy`].Arn' --output text) aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN - Create
EKSAllAccesspolicyecho '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:*", "Resource": "*" }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:*:${AWS_ACCOUNT_ID}:parameter/aws/*", "arn:aws:ssm:*::parameter/aws/*" ], "Effect": "Allow" }, { "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "logs:PutRetentionPolicy" ], "Resource": "*", "Effect": "Allow" } ] }' > eks-policy-template.json envsubst < eks-policy-template.json > eks-policy.jsonaws iam create-policy --policy-name eks-policy --policy-document file://eks-policy.json POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`eks-policy`].Arn' --output text) aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN - Create
IamLimitedAccesspolicyecho '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:PassRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:GetRolePolicy", "iam:GetOpenIDConnectProvider", "iam:CreateOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:ListAttachedRolePolicies", "iam:TagRole", "iam:GetPolicy", "iam:CreatePolicy", "iam:DeletePolicy", "iam:ListPolicyVersions" ], "Resource": [ "arn:aws:iam::${AWS_ACCOUNT_ID}:instance-profile/eksctl-*", "arn:aws:iam::${AWS_ACCOUNT_ID}:role/eksctl-*", "arn:aws:iam::${AWS_ACCOUNT_ID}:policy/eksctl-*", "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/*", "arn:aws:iam::${AWS_ACCOUNT_ID}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", "arn:aws:iam::${AWS_ACCOUNT_ID}:role/eksctl-managed-*" ] }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": [ "arn:aws:iam::${AWS_ACCOUNT_ID}:role/*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "eks.amazonaws.com", "eks-nodegroup.amazonaws.com", "eks-fargate.amazonaws.com" ] } } } ] }' > iam-policy-template.json envsubst < iam-policy-template.json > iam-policy.jsonaws iam create-policy --policy-name iam-policy --policy-document file://iam-policy.json POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`iam-policy`].Arn' --output text) aws iam attach-user-policy --user-name "eks-cluster" --policy-arn $POLICY_ARN
- Export AWS Account ID
- Create Access Token for the user
aws iam create-access-key --user-name "eks-cluster"
Then add the credential here you got from previous step.
Azure
To configure Azure credentials for accessing and managing Azure Kubernetes Service (AKS) clusters, follow these steps using the Azure CLI:
- Set the Azure subscription ID using the following command.
export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv) - Create Azure Service Principal with
Contributorrole.az ad sp create-for-rbac --role Contributor --scopes="/subscriptions/${AZURE_SUBSCRIPTION_ID}" --sdk-auth - Save Credentials
The command will output a JSON response containing the service principal details, including clientId (Application ID), clientSecret (Client Secret), subscriptionId, tenantId, and other information. Save these credentials securely as they will be used to configure the AKS cluster.
Then add the credential here.
Digital Ocean
To access Digital Ocean Managed clusters, you need to create a API token from Digital Ocean.
Ref: How to Create a Personal Access Token
Then add the credential here you got from Digital Ocean.
Google Cloud
To access GKE clusters, you need to create a GCP service account with with container.admin role.
- Set Project id, service account name
# Set the project ID where you registered your Domain PROJECT_ID="myproject-id" # change it to your project id GKE_SA_NAME="gke-cluster" # change it to your desired sa name GKE_SA_EMAIL="$GKE_SA_NAME@${PROJECT_ID}.iam.gserviceaccount.com" - Create Service account and Assign permission
gcloud iam service-accounts create $GKE_SA_NAME --display-name $GKE_SA_NAME # assign google service account to dns.admin role in cloud-dns project gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$GKE_SA_EMAIL --role "roles/container.admin" - Create a Service Account Secret
# download static credentials gcloud iam service-accounts keys create $GKE_SA_NAME-credentials.json \ --iam-account $GKE_SA_EMAIL
Then add the service account credentials here.
Google OAuth
Simplest way to access GKE clusters is through creating Google OAuth type credential.
Just head over here and
- Choose a
Name - Select Credential Type:
Google OAuth - Click
Continue with Google
This will create a credential, you will be able to access your k8s cluster with.
Linode
To access LKE clusters, you need to create a API token from Linode with the following permissions.
- Kubernetes (Read/Write)
Ref: Manage Linode Personal Access Tokens
Then add the credential here you got from Linode.
Rancher
To access Rancher clusters through AppsCode, you need to create an API token in your Rancher system. Follow these steps:
- In Rancher, click on the profile icon.
- Select
Account & API Keys. - Click
Create API Key. - Provide a name and set the expiration for the API key.
- Click
Createto complete the API token creation.
Reference: Rancher API Keys
Copy the generated access key, secret key, and API endpoint from the Account & API Keys overview page.
Next, add these credentials to the AppsCode user settings credentials page.
Azure Storage
To access Azure Blob Storage, you need your Storage Account name and one of its access keys.
- Account: Your Storage Account name, found in the Azure Portal under Storage accounts.
- Key: One of the access keys (key1 or key2), found under Security + networking > Access keys in the storage account sidebar. Click Show to reveal the key value.
Then add the credential here.
Cloudflare R2 Storage
To access Cloudflare R2 Object Storage, you need your Account ID and an R2 API token.
- Account ID: Found on your Cloudflare Dashboard under R2 > Overview or in the sidebar.
- Access Key ID & Secret Access Key: Generated by creating an R2 API token. Navigate to R2 > Manage R2 API Tokens > Create API Token and ensure the token has
Editpermissions for the target bucket.
Then add the credential here.
Hetzner
To access Hetzner Cloud resources, you need an API token and an SSH key.
- SSH Key Name: The name of an existing SSH key registered in your Hetzner Cloud project.
- Token: A Hetzner Cloud API token. Generate one under Security > API Tokens in your Hetzner Cloud Console. Use
Read & Writepermissions.
Then add the credential here.
Scaleway
To access Scaleway resources, you need your Organization ID and an API secret key.
- Organization: Your Scaleway Organization ID (a UUID), found under Organization Settings in the Scaleway Console.
- Token: Your API Secret Key. Navigate to Identity and Access Management (IAM) > API Keys, create a new API key, and copy the Secret Key.
Ref: Scaleway API Keys
Then add the credential here.
Vultr
To access Vultr resources, you need a Vultr API key.
- Token: Your Vultr API key. Navigate to Account > API in the Vultr customer portal and generate a personal access token.
Ref: Vultr API
Then add the credential here.