Cloud Provider Account Integration
AWS
Enabling Cross-Account Access
To use HPE MLDES in your Amazon account, you will need to grant the required permissions. You can do this with CloudFormation from the AWS Console or using the AWS CLI.
This process will result in a cross-account role that will be used to manage the resources in your account, a role and instance profile that will be used to run the MLDE master, and a role and instance profile that will be used to run your workloads.
Using the AWS Console
You can download the CloudFormation template when creating your organization. Remember that the template contains an identifier that's unique to each new organization, to prevent unauthorized use of your cross-account role. Hence, you will need to re-download the template for every new organization that you create.
From the
CloudFormation console,
click "Create Stack" and upload the template file you have downloaded. You will
need to provide a name (for example, MLDE-MS
). If you are configuring
multiple organizations in the same AWS account and want them to use different
identities within your account, you may wish to specify a different prefix
for each stack and re-download the CloudFormation template for each new organization.
Otherwise, you may leave all the other default settings and
click "Submit".
When the stack has finished creating its resources, you can find the information you will need to provide to configure your organization in the "Outputs" tab. These details will need to be provided when configuring your organization.
Using the AWS CLI
You can also complete this process using the AWS CLI if it is already configured to authenticate with your account. For example, in a UNIX shell, begin by downloading the CloudFormation template:
curl https://global.mldes.ext.hpe.com/v0/ec2/cloudformation > cloudformation.json
Next, create the Stack in CloudFormation using the template:
aws cloudformation create-stack \
--stack-name MLDE-MS \
--template-body "$(cat cloudformation.json)" \
--capabilities CAPABILITY_NAMED_IAM
When the stack has completed, you will find the required details for configuring your organization in the "outputs" of the stack:
aws cloudformation describe-stacks \
--stack-name MLDE-MS \
--query 'Stacks[0].Outputs'
Note: you will want to make note of the roles and instance profiles created so that you can verify or reference them in the future. If you modify the names of the roles or instance profiles, the names of the role and instance profile for the MLDE master must match, and the names of the role and instance profile for the agents must also match.
How Clusters Are Managed
Once HPE MLDES has access to your account, it will be able to continuously manage clusters for you. Specifically, it will create and manage these resources for a cluster:
- Networking:
- Elastic IPs
- Gateways
- Network interfaces
- Route tables
- Route53 records
- Security groups
- Subnets
- VPCs
- Compute:
- EC2 instances
- SSH key pairs
- Storage:
- Aurora DB clusters
- S3 buckets
- IAM:
- Roles
- Instance profiles
- Policies
- Other:
- KMS keys
- CloudWatch log groups
In general, HPE MLDES performs these operations to the resources it manages:
- Create
- Modify
- Delete
- Connect multiple resources
- Monitor resource status
- Save logs where applicable
- Create backups where applicable
In order for HPE MLDES to perform the aforementioned operations, your account must include an IAM role that trusts HPE MLDES and includes the necessary permissions. It can be set up by running a command as illustrated earlier, and the role's details are listed in the next section.
HPE MLDES is designed to manage both existing and new accounts. Existing resources in an account usually do not affect the MLDE clusters. However, in the situation below, you should examine existing resources for potential issues:
- Your existing resources use up a non-trivial portion of the account's quotas, and that would reduce the amount of resources HPE MLDES can create. You can often increase the quota, but some resources quotas have limits on how much you can increase them.
- Your existing resources interact with the MLDE cluster. For example, you need to set up peering between the MLDE cluster's VPC and an existing VPC. In this case, it is recommended that the two VPCs have non-overlapping IP ranges.
Required Role and Instance Profiles
If you choose to create the IAM Role and Policy manually, we will need the following permissions at a minimum:
The Cross-Account Role
Required Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::677883114681:role/mldes-mgmt-service"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"sts:ExternalId": [
"<Unique-External-ID>",
]
}
}
}
]
}
Required Permissions Policy:
Note: you need to replace the text delimited with <
and >
with desired values
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DetCrossAccountAccess",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DisassociateRouteTable",
"ec2:ImportKeyPair",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:TagResource",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:ListPolicies",
"iam:ListRoles",
"iam:RemoveRoleFromInstanceProfile",
"iam:SimulatePrincipalPolicy",
"iam:TagInstanceProfile",
"iam:TagPolicy",
"iam:TagRole",
"kms:CreateGrant",
"kms:DescribeKey",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:TagResource",
"logs:GetLogEvents",
"rds:AddTagsToResource",
"rds:CreateDBCluster",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBClusters",
"rds:ModifyDBCluster",
"rds:RestoreDBClusterToPointInTime",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration",
"servicequotas:GetServiceQuota",
"ssm:GetCommandInvocation",
"ssm:SendCommand",
"ssm:StartSession",
"ssm:DeleteParameter",
"ssm:PutParameter",
"ssm:GetParameter",
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Sid": "DetCrossPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<your AWS account ID>:role/<master instance profile name>",
},
],
}
The Master Instance Profile
Required Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole",
}
],
}
Required Permissions Policy:
Note: you need to replaced the text delimited with <
and >
with desired values
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MasterAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:CancelSpotInstanceRequests",
"ec2:RequestSpotInstances",
"ec2:DescribeSpotInstanceRequests",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<your AWS account ID>:role/<agent instance profile name>",
"Effect": "Allow",
},
],
}
Also include the AWS managed policy AmazonSSMManagedEC2InstanceDefaultPolicy
.
The Agent Instance Profile
Required Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole",
}
],
}
Required Permissions Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AgentAccess",
"Effect": "Allow",
"Action": [
"s3:*",
"ec2:DescribeInstances",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
],
}
Also include the AWS managed policy AmazonSSMManagedEC2InstanceDefaultPolicy
.
GCP
To use your GCP account with HPE MLDES, you will need to ensure the required APIs are enabled, define a role with the required permissions, and grant access to HPE MLDES' service account to use that role.
Enabling Required APIs
The following APIs may not all be enabled in new accounts but must be enabled from the Enabled APIs & services page in the Google Cloud Console:
- Compute Engine API (
compute.googleapis.com
) - Service Networking API (
servicenetworking.googleapis.com
) - Secret Manager API (
secretmanager.googleapis.com
) - Kubernetes Engine API (
container.googleapis.com
) - Cloud SQL Admin API (
sqladmin.googleapis.com
) - Cloud Storage (
storage-component.googleapis.com
)
Creating a Role to Grant Required Permissions
-
Install the gcloud CLI if not already installed. See the install page for more information on how to do so
-
Login to the project you want HPE MLDES to deploy to. More information on CLI login can be found on the gcloud auth login page
-
Create a role with the required permissions in this project. You will need the Role Administrator role for this and the following steps:
gcloud iam roles create [ROLE NAME] --project [PROJECT] --permissions \
cloudsql.databases.create,cloudsql.databases.get,cloudsql.users.create,\
cloudsql.instances.clone,cloudsql.instances.create,cloudsql.instances.delete,cloudsql.instances.get,\
compute.addresses.create,compute.addresses.delete,compute.addresses.get,\
compute.globalAddresses.createInternal,compute.globalAddresses.deleteInternal,\
compute.networks.create,compute.networks.delete,compute.networks.get,\
compute.networks.removePeering,compute.networks.updatePolicy,compute.networks.use,\
compute.regionOperations.get,\
compute.subnetworks.create,compute.subnetworks.delete,\
container.clusters.create,container.clusters.delete,container.clusters.get,container.operations.get,\
iam.serviceAccounts.actAs,logging.logEntries.list,\
resourcemanager.projects.get,\
secretmanager.secrets.create,secretmanager.secrets.delete,secretmanager.versions.access,secretmanager.versions.add,secretmanager.versions.list,\
servicenetworking.services.addPeering,\
storage.buckets.create,storage.buckets.delete,storage.objects.delete,storage.objects.list
Connecting with the Google Cloud management console
- Navigate to the IAM service within Google Cloud console
- Click the
Grant Access
button - Enter
mgmt-service@hpe-mldes.iam.gserviceaccount.com
as the principal - From the
Select a role
drop-down menu, in theCustom
section, select the role created above - Click
ADD ANOTHER ROLE
and select roleKubernetes Engine Admin
- Click
Save
Connecting with the gcloud CLI
Alternatively, you can use the gcloud CLI. Just run the following commands:
gcloud projects add-iam-policy-binding [PROJECT] --member="serviceAccount:mgmt-service@hpe-mldes.iam.gserviceaccount.com" --role="projects/[PROJECT NAME]/roles/[ROLE NAME]"
gcloud projects add-iam-policy-binding [PROJECT] --member="serviceAccount:mgmt-service@hpe-mldes.iam.gserviceaccount.com" --role="roles/container.admin"
Adding the external ID to project labels
In order to use this role via our application, you will also need to add a label to your project with the "external ID" presented when you create an organization.
- Navigate to the Labels section within IAM on Google Cloud console
- Click the
Add Label
button - Enter any key that has the prefix "mldes_external_id" (eg:
mldes_external_id_org_one
) - For the value, use the "External ID" shown when you create an organization.
- Click
Save