From c6903411faf63a5d5038041c2d0cbc14119fc0c0 Mon Sep 17 00:00:00 2001 From: Amanda Churi Filanowski Date: Mon, 3 Feb 2025 08:49:58 -0500 Subject: [PATCH 01/12] Adding AWS Secret Cloud documentation --- _partials/_aws-static-credentials-setup.mdx | 26 +- .../public-cloud/aws/add-aws-accounts.md | 256 +++++++++++++----- .../clusters/public-cloud/aws/eks.md | 8 +- 3 files changed, 205 insertions(+), 85 deletions(-) diff --git a/_partials/_aws-static-credentials-setup.mdx b/_partials/_aws-static-credentials-setup.mdx index 492603afcd..6810b2847a 100644 --- a/_partials/_aws-static-credentials-setup.mdx +++ b/_partials/_aws-static-credentials-setup.mdx @@ -3,33 +3,29 @@ partial_category: palette-setup partial_name: aws-static-credentials --- -1. Create an IAM Role or IAM User for Palette. Use the following resources if you need additional help. +1. Log in to [Palette](https://console.spectrocloud.com) as tenant admin. - - [IAM Role creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html). - - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). +2. From the left **Main Menu**, click on **Tenant Settings**. -2. In the AWS console, assign the Palette-required IAM policies to the IAM role or the IAM user that Palette will use. +3. Select **Cloud Accounts**, and click **Add AWS Account**. -3. Log in to [Palette](https://console.spectrocloud.com) as tenant admin. - -4. From the left **Main Menu**, click on **Tenant Settings**. - -5. Select **Cloud Accounts**, and click **+Add AWS Account**. - -6. In the cloud account creation wizard provide the following information: +4. In the cloud account creation wizard provide the following information: - **Account Name:** Custom name for the cloud account. - **Description:** Optional description for the cloud account. + - **Partition:** Choose **AWS** from the **drop-down Menu**. - **Credentials:** + - AWS Access key + - AWS Secret access key -7. Click the **Validate** button to validate the credentials. +5. **Validate** the credentials. -8. Once the credentials are validated, the **Add IAM Policies** toggle displays. Toggle **Add IAM Policies** on. +6. Once the credentials are validated, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. -9. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM - policies you want to assign to Palette IAM role or IAM user. +7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM + policies you want to assign to the Palette IAM role or IAM user. \ No newline at end of file diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index 601eaacb19..ba1734e6a3 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -7,21 +7,32 @@ tags: ["public cloud", "aws", "iam"] sidebar_position: 10 --- -Palette supports integration with AWS Cloud Accounts. This also includes support for -[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) +Palette supports integration with Amazon Web Services (AWS) Cloud Accounts, including +[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) accounts. This section explains how to create an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account. - AWS + - [Static Access Credentials](#static-access-credentials) + - [Dynamic Access Credentials](#dynamic-access-credentials) -- AWS GovCloud + +- AWS GovCloud (US) + - [Static Access Credentials](#static-access-credentials-1) + - [Dynamic Access Credentials](#dynamic-access-credentials-1) + +- AWS Secret Cloud (SC2S) (US) + + - [Static Access Credentials](#static-access-credentials-2) + + - [Secure Compliance Validation Credentials](#secure-compliance-validation-credentials) ## AWS Account -This section provides guidance in creating an AWS account that uses static or dynamic access credentials. +This section provides guidance on creating an AWS account that uses static or dynamic access credentials. ### Static Access Credentials @@ -29,9 +40,11 @@ Use the steps below to add an AWS cloud account using static access credentials. #### Prerequisites -- An AWS account -- Sufficient access to create an IAM role or IAM user. -- Palette IAM policies. Review the [Required IAM Policies](required-iam-policies.md) section for guidance. +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access + +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role #### Add AWS Account to Palette @@ -39,7 +52,7 @@ Use the steps below to add an AWS cloud account using static access credentials. #### Validate -You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of +You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left **Main Menu** and click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS section. @@ -49,13 +62,16 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST #### Prerequisites +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access + - If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level to allow tenants to add AWS accounts using STS. For more information, refer to [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) -- An AWS account. -- Sufficient access to create an IAM role or IAM user. -- Palette IAM policies. Review the [Required IAM Policies](required-iam-policies.md) section for guidance. + +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role #### Add AWS Account to Palette @@ -63,16 +79,18 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST 2. From the left **Main Menu**, click on **Tenant Settings**. -3. Select **Cloud Accounts**, and click **+Add AWS Account**. +3. Select **Cloud Accounts**, and click **Add AWS Account**. -4. In the cloud account creation wizard give the following information: +4. In the cloud account creation wizard, enter the following information: - **Account Name**: Custom name for the cloud account. + - **Description**: Optional description for the cloud account. + - Select **STS** authentication for validation. 5. You will be provided with information on the right side of the wizard. You will need this information to create an - IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**. + IAM role for Palette. The following table lists the information provided by the wizard after you select **STS**. | **Parameter** | **Description** | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -83,31 +101,23 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST | **Permissions Policy** | Search and select the 4 policies added in step 2. | | **Role Name** | SpectroCloudRole. | -6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help. - - - [IAM Role creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html). - - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). - -7. In the AWS console, assign the [Palette required IAM policies](required-iam-policies.md) to the role that Palette - will use. +6. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role. -8. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role. +7. In Palette, paste the role ARN into the **ARN** field. -9. In Palette, paste the role ARN into the **ARN** input box. - -10. Click the **Validate** button to validate the credentials. +8. **Validate** the credentials. #### Validate -You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of -cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your +You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS section. -## AWS GovCloud Account +## AWS GovCloud Account (US) Palette supports integration with [AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc). -Using Palette you can deploy Kubernetes clusters to your AWS GovCloud account. This section provides guidance in +Using Palette, you can deploy Kubernetes clusters to your AWS GovCloud account. This section provides guidance on creating an AWS GovCloud account that uses static or dynamic access credentials. ### Static Access Credentials @@ -116,47 +126,45 @@ Use the steps below to add an AWS cloud account using static access credentials. #### Prerequisites -- An AWS account -- Sufficient access to create an IAM role or IAM user. -- Palette IAM policies. Please review the [Required IAM Policies](required-iam-policies.md) section for guidance. - -#### Add AWS GovCloud Account to Palette +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access -1. Create an IAM Role or IAM User for Palette. Use the following resources if you need additional help. +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette - - [IAM Role creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html). - - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role -2. In the AWS console, assign the Palette required IAM policies to the role or the IAM user that Palette will use. +#### Add AWS GovCloud Account to Palette -3. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin. +1. Log in to [Palette](https://console.spectrocloud.com) as tenant admin. -4. From the left **Main Menu**, click on **Tenant Settings**. +2. From the left **Main Menu**, click on **Tenant Settings**. -5. Select **Cloud Accounts**, and click **+Add AWS Account**. +3. Select **Cloud Accounts**, and click **Add AWS Account**. -6. In the cloud account creation wizard provide the following information: +4. In the cloud account creation wizard provide the following information: - **Account Name:** Custom name for the cloud account. - **Description:** Optional description for the cloud account. - - **Partition:** Choose **AWS GovCloud US** from the drop-down menu. + + - **Partition:** Choose **AWS US Gov** from the **drop-down Menu**. - **Credentials:** + - AWS Access key + - AWS Secret access key -7. Click on the **Validate** button to validate the credentials. +5. **Validate** the credentials. -8. Once the credentials are validated, the **Add IAM Policies** toggle displays. Toggle **Add IAM Policies** on. +6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. -9. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM - policies you want to assign to Palette IAM role or IAM user. +7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM + policies you want to assign to the Palette IAM role or IAM user. #### Validate -You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of -cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click **Cloud Accounts**. Your +You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click **Cloud Accounts**. Your newly added AWS cloud account is listed under the AWS section. ### Dynamic Access Credentials @@ -165,13 +173,16 @@ Use the steps below to add an AWS cloud account using STS credentials. #### Prerequisites +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access + - If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level to allow tenants to add AWS accounts using STS. For more information, refer to [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) -- An AWS account -- Sufficient access to create an IAM role or IAM user. -- Palette IAM policies. Please review the [Required IAM Policies](required-iam-policies.md) section for guidance. + +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role #### Add AWS GovCloud Account to Palette @@ -179,13 +190,13 @@ Use the steps below to add an AWS cloud account using STS credentials. 2. From the left **Main Menu**, click on **Tenant Settings**. -3. Select **Cloud Accounts**, and click **+Add AWS Account**. +3. Select **Cloud Accounts**, and click **Add AWS Account**. -4. In the cloud account creation wizard give the following information: +4. In the cloud account creation wizard, enter the following information: - **Account Name** - **Description** - - Select **STS** authentication for validation: + - Select **STS** authentication for validation. 5. You will be provided with information on the right side of the wizard. You will need this information to create an IAM Role for Palette. The following table lists the information provided by the wizard after you select **STS**. @@ -199,25 +210,134 @@ Use the steps below to add an AWS cloud account using STS credentials. | **Permissions Policy** | Search and select the 4 policies added in step #2. | | **Role Name** | SpectroCloudRole. | -6. In the AWS console, create a new IAM role for Palette. Use the following resources if you need additional help. +6. In the AWS console, browse to the **Role Details** page and copy the ARN for the role. + +7. In Palette, paste the role ARN into the **ARN** input box. + +8. **Validate** the credentials. - - [IAM Role creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html). - - [IAM User creation guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html). +#### Validate + +You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your +newly added AWS cloud account is listed under the AWS sections. + +## AWS Secret Cloud Account (US) + +You can configure AWS Secret Cloud accounts in Palette VerteX to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. + +:::preview + +::: + +### Limitations + +- Only Amazon Linux 2-based container images and operating systems are supported for workloads and Kubernetes nodes. + +- User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for Transport Layer Security (TLS) communication may fail to establish secure connections, and integrations with external services that require custom CAs may encounter Secure Socket Layer (SSL) or TLS verification issues. + + - Workloads requiring custom CAs for internal trust validation must use an alternative configuration, such as using a [sidecar container](https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/) to provide the CA certificate at runtime or embedding the CA certificate within the application. For guidance on embedding certificates within applications, refer to the official Kubernetes documentation on [using Secrets as files from a Pod](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod) and [creating pods that access Secret data through a Volume](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume). -7. In the AWS console, assign the [Palette required IAM policies](required-iam-policies.md) to the role that Palette - will use. +### Prerequisites -8. In the AWS console, browse to the **Role Details** page and copy the Amazon Resource Name (ARN) for the role. +- [Palette VerteX installed](../../../vertex/install-palette-vertex/install-palette-vertex.md) and [tenant admin](../../../tenant-settings/tenant-settings.md) access -9. In Palette, paste the role ARN into the **ARN** input box. +- The **AwsSecretPartition** [feature flag](../../../vertex/system-management/feature-flags.md) enabled in the Palette VerteX [system console](../../../vertex/system-management/system-management.md) -10. Click on the **Validate** button to validate the credentials. +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette VerteX + +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or IAM role + +- A secure connection to your AWS Secret Cloud account, such as via a Private Cloud Gateway (PCG) or Wide Area Network (WAN) tunnel + +### Static Access Credentials + +Use the steps below to add an AWS Secret Cloud account using static access credentials. + +#### Add AWS Secret Cloud to Palette VerteX + +1. Log in to [Palette](https://console.spectrocloud.com) as tenant admin. + +2. From the left **Main Menu**, click on **Tenant Settings**. + +3. Select **Cloud Accounts**, and click **Add AWS Account**. + +4. In the cloud account creation wizard provide the following information: + + - **Account Name:** Custom name for the cloud account. + + - **Description:** Optional description for the cloud account. + + - **Partition:** Choose **AWS US Secret** from the **drop-down Menu**. + + - **Credentials:** + + - AWS Access key + + - AWS Secret access key + + - **Certificate Authority:** Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. + +5. **Validate** the credentials. + +6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. + +7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM + policies you want to assign to the Palette IAM role or IAM user. + +8. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. + +9. **Confirm** your AWS Secret Cloud account. #### Validate -You can validate the account is available in Palette by reviewing the list of cloud accounts. To review the list of -cloud accounts navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your -newly added AWS cloud account is listed under the AWS sections. +You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click **Cloud Accounts**. Your +newly added AWS cloud account is listed under the AWS section. + +### Secure Compliance Validation Credentials + +Use the steps below to add an AWS Secret Cloud account using SCAP secure compliance validation credentials. + +#### Add AWS Secret Cloud to Palette VerteX + +1. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin. + +2. From the left **Main Menu**, click on **Tenant Settings**. + +3. Select **Cloud Accounts**, and click **Add AWS Account**. + +4. In the cloud account creation wizard, enter the following information: + + - **Account Name:** Custom name for the cloud account. + + - **Description:** Optional description for the cloud account. + + - **Partition:** Choose **AWS US Secret** from the **drop-down Menu**. + +5. Toggle on **Secure Compliance Validation** and enter the following information. + + | **Parameter** | **Description** | + | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Agency Name** | Enter the SCAP agency name. | + | **Account Name** | Enter the SCAP account name or number. | + | **CAP/SCAP Role Name** | Enter the role name provided by SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | + | **Role Prefix (Optional)** | Choose a prefix to standardize role names. If no prefix is provided, a default prefix of `PROJECT_` is used. For example, if the initial role name is `DevOpsRole`, the full role name would be `PROJECT_DevOpsRole`. | + | **Permission Boundary (Optional)** | If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN (for example, `arn:aws:iam::123456789012:policy/MyPermissionBoundaryPolicy`). Refer to the AWS [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) page for additional information on permission boundaries. | + | **Certificate Authority** | Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. | + | **User Certificate** | Paste your user-issued digital certificate in PEM-encoded format. | + | **User Key** | Provide the private cryptographic key associated with the user certificate in PEM-encoded format. | + +6. **Validate** the credentials. + +7. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. + +8. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM + policies you want to assign to the Palette IAM role or IAM user. + +9. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. + +10. **Confirm** your AWS Secret Cloud account. ## Next Steps @@ -225,5 +345,7 @@ Now that you have added an AWS account to Palette, you can start deploying Kuber learn how to get started with deploying Kubernetes clusters to AWS, check out the following guides: - [Create and Manage AWS IaaS Cluster](create-cluster.md) + - [Create and Manage AWS EKS Cluster](eks.md) -- [EKS Hybrid Nodes](./eks-hybrid-nodes/eks-hybrid-nodes.md) + +- [EKS Hybrid Nodes](./eks-hybrid-nodes/eks-hybrid-nodes.md) \ No newline at end of file diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md index 7b897812db..2db9c58cc4 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks.md @@ -34,6 +34,8 @@ an AWS account. This section guides you on how to create an EKS cluster in AWS t Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance. +- If you are deploying your cluster in an [Amazon Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, you must configure [Image Swap](../../../clusters/cluster-management/image-swap.md) in the Kubernetes layer of your [cluster profile](../../../profiles/cluster-profiles/cluster-profiles.md) to redirect public image requests to your internal or Elastic Container Registry. + - If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred AWS region to create the following resources. Note that Palette does not create these resources if you specify an @@ -100,10 +102,10 @@ an AWS account. This section guides you on how to create an EKS cluster in AWS t | **Parameter** | **Description** | | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. You will need to specify two subnets in different Availability Zones (AZs). | + | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required.You will need to specify two subnets in different Availability Zones (AZs). | | **Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster. | | **SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs. | - | **Cluster Endpoint Access** | This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | + | **Cluster Endpoint Access** | This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, use **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | | **Public Access CIDRs** | This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | | **Private Access CIDRs** | This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.

To restrict network access, replace the pre-populated 0.0.0.0/0 with the IP address CIDR range that should be allowed access to the cluster endpoint. Only the IP addresses that are within the specified VPC CIDR range - and any other connected VPCs - will be able to reach the private endpoint. For example, while using `0.0.0.0/0` would allow traffic throughout the VPC and all peered VPCs, specifying the VPC CIDR `10.0.0.0/16` would limit traffic to an individual VPC. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | | **Enable Encryption** | Use this option for secrets encryption. You must have an existing AWS Key Management Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.

If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. | @@ -277,4 +279,4 @@ For guidance in setting up kubectl, review the [Kubectl](../../cluster-managemen - [Create Role Bindings](../../cluster-management/cluster-rbac.md#create-role-bindings). -- [Use RBAC with OIDC](../../../integrations/kubernetes.md#use-rbac-with-oidc) +- [Use RBAC with OIDC](../../../integrations/kubernetes.md#use-rbac-with-oidc) \ No newline at end of file From 4038ebadaa1102f213d0d4bdeb71e87f0ab07b04 Mon Sep 17 00:00:00 2001 From: achuribooks <182707758+achuribooks@users.noreply.github.com> Date: Mon, 3 Feb 2025 13:56:22 +0000 Subject: [PATCH 02/12] ci: auto-formatting prettier issues --- .../public-cloud/aws/add-aws-accounts.md | 136 ++++++++++-------- .../clusters/public-cloud/aws/eks.md | 11 +- 2 files changed, 84 insertions(+), 63 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index ba1734e6a3..ddb37a735b 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -8,26 +8,23 @@ sidebar_position: 10 --- Palette supports integration with Amazon Web Services (AWS) Cloud Accounts, including -[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) -accounts. This section explains how to create an AWS cloud account in Palette. You can use any of the following -authentication methods to register your cloud account. +[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) +and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) accounts. This section explains how to create +an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account. - AWS - + - [Static Access Credentials](#static-access-credentials) - - [Dynamic Access Credentials](#dynamic-access-credentials) - + - AWS GovCloud (US) - + - [Static Access Credentials](#static-access-credentials-1) - - [Dynamic Access Credentials](#dynamic-access-credentials-1) - + - AWS Secret Cloud (SC2S) (US) - + - [Static Access Credentials](#static-access-credentials-2) - - [Secure Compliance Validation Credentials](#secure-compliance-validation-credentials) ## AWS Account @@ -42,7 +39,8 @@ Use the steps below to add an AWS cloud account using static access credentials. - A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access -- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role @@ -69,7 +67,8 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) -- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role @@ -84,9 +83,7 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST 4. In the cloud account creation wizard, enter the following information: - **Account Name**: Custom name for the cloud account. - - **Description**: Optional description for the cloud account. - - Select **STS** authentication for validation. 5. You will be provided with information on the right side of the wizard. You will need this information to create an @@ -105,13 +102,13 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST 7. In Palette, paste the role ARN into the **ARN** field. -8. **Validate** the credentials. +8. **Validate** the credentials. #### Validate You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of -cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your -newly added AWS cloud account is listed under the AWS section. +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. +Your newly added AWS cloud account is listed under the AWS section. ## AWS GovCloud Account (US) @@ -128,7 +125,8 @@ Use the steps below to add an AWS cloud account using static access credentials. - A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access -- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role @@ -145,18 +143,17 @@ Use the steps below to add an AWS cloud account using static access credentials. - **Account Name:** Custom name for the cloud account. - **Description:** Optional description for the cloud account. - - **Partition:** Choose **AWS US Gov** from the **drop-down Menu**. - **Credentials:** - + - AWS Access key - - AWS Secret access key 5. **Validate** the credentials. -6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. +6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. + Toggle **Add IAM Policies** on. 7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. @@ -180,7 +177,8 @@ Use the steps below to add an AWS cloud account using STS credentials. [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) -- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role @@ -214,17 +212,19 @@ Use the steps below to add an AWS cloud account using STS credentials. 7. In Palette, paste the role ARN into the **ARN** input box. -8. **Validate** the credentials. +8. **Validate** the credentials. #### Validate You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of -cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. Your -newly added AWS cloud account is listed under the AWS sections. +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. +Your newly added AWS cloud account is listed under the AWS sections. ## AWS Secret Cloud Account (US) -You can configure AWS Secret Cloud accounts in Palette VerteX to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. +You can configure AWS Secret Cloud accounts in Palette VerteX to deploy AWS EKS clusters in the AWS Secret region. +Depending on your organization's compliance requirements, you can choose between standard authentication (standard +access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. :::preview @@ -234,21 +234,35 @@ You can configure AWS Secret Cloud accounts in Palette VerteX to deploy AWS EKS - Only Amazon Linux 2-based container images and operating systems are supported for workloads and Kubernetes nodes. -- User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for Transport Layer Security (TLS) communication may fail to establish secure connections, and integrations with external services that require custom CAs may encounter Secure Socket Layer (SSL) or TLS verification issues. - - - Workloads requiring custom CAs for internal trust validation must use an alternative configuration, such as using a [sidecar container](https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/) to provide the CA certificate at runtime or embedding the CA certificate within the application. For guidance on embedding certificates within applications, refer to the official Kubernetes documentation on [using Secrets as files from a Pod](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod) and [creating pods that access Secret data through a Volume](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume). +- User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters + that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for + Transport Layer Security (TLS) communication may fail to establish secure connections, and integrations with external + services that require custom CAs may encounter Secure Socket Layer (SSL) or TLS verification issues. + + - Workloads requiring custom CAs for internal trust validation must use an alternative configuration, such as using a + [sidecar container](https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/) to provide the CA + certificate at runtime or embedding the CA certificate within the application. For guidance on embedding + certificates within applications, refer to the official Kubernetes documentation on + [using Secrets as files from a Pod](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod) + and + [creating pods that access Secret data through a Volume](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume). ### Prerequisites -- [Palette VerteX installed](../../../vertex/install-palette-vertex/install-palette-vertex.md) and [tenant admin](../../../tenant-settings/tenant-settings.md) access +- [Palette VerteX installed](../../../vertex/install-palette-vertex/install-palette-vertex.md) and + [tenant admin](../../../tenant-settings/tenant-settings.md) access -- The **AwsSecretPartition** [feature flag](../../../vertex/system-management/feature-flags.md) enabled in the Palette VerteX [system console](../../../vertex/system-management/system-management.md) +- The **AwsSecretPartition** [feature flag](../../../vertex/system-management/feature-flags.md) enabled in the Palette + VerteX [system console](../../../vertex/system-management/system-management.md) -- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette VerteX +- An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette VerteX -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or IAM role +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or + IAM role -- A secure connection to your AWS Secret Cloud account, such as via a Private Cloud Gateway (PCG) or Wide Area Network (WAN) tunnel +- A secure connection to your AWS Secret Cloud account, such as via a Private Cloud Gateway (PCG) or Wide Area Network + (WAN) tunnel ### Static Access Credentials @@ -267,25 +281,28 @@ Use the steps below to add an AWS Secret Cloud account using static access crede - **Account Name:** Custom name for the cloud account. - **Description:** Optional description for the cloud account. - - **Partition:** Choose **AWS US Secret** from the **drop-down Menu**. - **Credentials:** - + - AWS Access key - - AWS Secret access key - - - **Certificate Authority:** Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. + + - **Certificate Authority:** Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. + Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. 5. **Validate** the credentials. -6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. +6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. + Toggle **Add IAM Policies** on. 7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. -8. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. +8. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and + select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud + Gateways** listed in **Tenant Settings**. For more information, refer to the + [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. 9. **Confirm** your AWS Secret Cloud account. @@ -312,30 +329,33 @@ Use the steps below to add an AWS Secret Cloud account using SCAP secure complia - **Account Name:** Custom name for the cloud account. - **Description:** Optional description for the cloud account. - - **Partition:** Choose **AWS US Secret** from the **drop-down Menu**. 5. Toggle on **Secure Compliance Validation** and enter the following information. - | **Parameter** | **Description** | - | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Agency Name** | Enter the SCAP agency name. | - | **Account Name** | Enter the SCAP account name or number. | - | **CAP/SCAP Role Name** | Enter the role name provided by SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | - | **Role Prefix (Optional)** | Choose a prefix to standardize role names. If no prefix is provided, a default prefix of `PROJECT_` is used. For example, if the initial role name is `DevOpsRole`, the full role name would be `PROJECT_DevOpsRole`. | - | **Permission Boundary (Optional)** | If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN (for example, `arn:aws:iam::123456789012:policy/MyPermissionBoundaryPolicy`). Refer to the AWS [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) page for additional information on permission boundaries. | - | **Certificate Authority** | Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. | - | **User Certificate** | Paste your user-issued digital certificate in PEM-encoded format. | - | **User Key** | Provide the private cryptographic key associated with the user certificate in PEM-encoded format. | + | **Parameter** | **Description** | + | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Agency Name** | Enter the SCAP agency name. | + | **Account Name** | Enter the SCAP account name or number. | + | **CAP/SCAP Role Name** | Enter the role name provided by SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | + | **Role Prefix (Optional)** | Choose a prefix to standardize role names. If no prefix is provided, a default prefix of `PROJECT_` is used. For example, if the initial role name is `DevOpsRole`, the full role name would be `PROJECT_DevOpsRole`. | + | **Permission Boundary (Optional)** | If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN (for example, `arn:aws:iam::123456789012:policy/MyPermissionBoundaryPolicy`). Refer to the AWS [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) page for additional information on permission boundaries. | + | **Certificate Authority** | Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. | + | **User Certificate** | Paste your user-issued digital certificate in PEM-encoded format. | + | **User Key** | Provide the private cryptographic key associated with the user certificate in PEM-encoded format. | 6. **Validate** the credentials. -7. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. +7. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. + Toggle **Add IAM Policies** on. 8. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. -9. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. +9. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and + select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud + Gateways** listed in **Tenant Settings**. For more information, refer to the + [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. 10. **Confirm** your AWS Secret Cloud account. @@ -345,7 +365,5 @@ Now that you have added an AWS account to Palette, you can start deploying Kuber learn how to get started with deploying Kubernetes clusters to AWS, check out the following guides: - [Create and Manage AWS IaaS Cluster](create-cluster.md) - - [Create and Manage AWS EKS Cluster](eks.md) - -- [EKS Hybrid Nodes](./eks-hybrid-nodes/eks-hybrid-nodes.md) \ No newline at end of file +- [EKS Hybrid Nodes](./eks-hybrid-nodes/eks-hybrid-nodes.md) diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md index 2db9c58cc4..bcd96fb236 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks.md @@ -34,7 +34,10 @@ an AWS account. This section guides you on how to create an EKS cluster in AWS t Management Service (KMS) key. If you do not have one, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md) for guidance. -- If you are deploying your cluster in an [Amazon Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, you must configure [Image Swap](../../../clusters/cluster-management/image-swap.md) in the Kubernetes layer of your [cluster profile](../../../profiles/cluster-profiles/cluster-profiles.md) to redirect public image requests to your internal or Elastic Container Registry. +- If you are deploying your cluster in an [Amazon Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, you + must configure [Image Swap](../../../clusters/cluster-management/image-swap.md) in the Kubernetes layer of your + [cluster profile](../../../profiles/cluster-profiles/cluster-profiles.md) to redirect public image requests to your + internal or Elastic Container Registry. - If you do not provide your own Virtual Private Cloud (VPC), Palette creates one for you with compute, network, and storage resources in AWS when it provisions Kubernetes clusters. Ensure there is sufficient capacity in the preferred @@ -102,10 +105,10 @@ an AWS account. This section guides you on how to create an EKS cluster in AWS t | **Parameter** | **Description** | | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required.You will need to specify two subnets in different Availability Zones (AZs). | + | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required.You will need to specify two subnets in different Availability Zones (AZs). | | **Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster. | | **SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs. | - | **Cluster Endpoint Access** | This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, use **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | + | **Cluster Endpoint Access** | This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, use **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | | **Public Access CIDRs** | This setting controls which IP address CIDR ranges can access the cluster. To fully allow unrestricted network access, enter `0.0.0.0/0` in the field. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | | **Private Access CIDRs** | This setting controls which private IP address CIDR ranges can access the cluster. Private CIDRs provide a way to specify private, self-hosted, and air-gapped networks or Private Cloud Gateway (PCG) that may be located in other VPCs connected to the VPC hosting the cluster endpoint.

To restrict network access, replace the pre-populated 0.0.0.0/0 with the IP address CIDR range that should be allowed access to the cluster endpoint. Only the IP addresses that are within the specified VPC CIDR range - and any other connected VPCs - will be able to reach the private endpoint. For example, while using `0.0.0.0/0` would allow traffic throughout the VPC and all peered VPCs, specifying the VPC CIDR `10.0.0.0/16` would limit traffic to an individual VPC. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | | **Enable Encryption** | Use this option for secrets encryption. You must have an existing AWS Key Management Service (KMS) key you can use. Toggle the **Enable encryption** option and use the **drop-down Menu** in the **ARN** field to select the KMS key ARN.

If you do not have a KMS key and want to create one to use this option, review [Enable Secrets Encryption for EKS Cluster](enable-secrets-encryption-kms-key.md). Once your KMS key is created, return to this Cluster Config step to enable secrets encryption and specify the KMS key ARN. | @@ -279,4 +282,4 @@ For guidance in setting up kubectl, review the [Kubectl](../../cluster-managemen - [Create Role Bindings](../../cluster-management/cluster-rbac.md#create-role-bindings). -- [Use RBAC with OIDC](../../../integrations/kubernetes.md#use-rbac-with-oidc) \ No newline at end of file +- [Use RBAC with OIDC](../../../integrations/kubernetes.md#use-rbac-with-oidc) From 1a9a249c636eed7e7de9b715c6db8bf88d6019dc Mon Sep 17 00:00:00 2001 From: Amanda Churi Filanowski Date: Mon, 3 Feb 2025 09:08:18 -0500 Subject: [PATCH 03/12] Fixing spacing --- docs/docs-content/clusters/public-cloud/aws/eks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md index bcd96fb236..9fb6624415 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks.md @@ -105,7 +105,7 @@ an AWS account. This section guides you on how to create an EKS cluster in AWS t | **Parameter** | **Description** | | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required.You will need to specify two subnets in different Availability Zones (AZs). | + | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required. You will need to specify two subnets in different Availability Zones (AZs). | | **Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster. | | **SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs. | | **Cluster Endpoint Access** | This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, use **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | From cd5c5735f01965d6f392da8e4168a7225364b0ca Mon Sep 17 00:00:00 2001 From: achuribooks <182707758+achuribooks@users.noreply.github.com> Date: Mon, 3 Feb 2025 14:11:24 +0000 Subject: [PATCH 04/12] ci: auto-formatting prettier issues --- docs/docs-content/clusters/public-cloud/aws/eks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md index 9fb6624415..4e8354edf6 100644 --- a/docs/docs-content/clusters/public-cloud/aws/eks.md +++ b/docs/docs-content/clusters/public-cloud/aws/eks.md @@ -105,7 +105,7 @@ an AWS account. This section guides you on how to create an EKS cluster in AWS t | **Parameter** | **Description** | | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required. You will need to specify two subnets in different Availability Zones (AZs). | + | **Static Placement** | By default, Palette uses dynamic placement. This creates a new Virtual Private Cloud (VPC) for the cluster that contains two subnets in different Availability Zones (AZs), which is required for EKS cluster deployment. Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

If you want to place resources into pre-existing VPCs, enable the **Static Placement** option, and provide the VPCID in the **VPCID** field that displays with this option enabled. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, static placement is required. You will need to specify two subnets in different Availability Zones (AZs). | | **Region** | Use the **drop-down Menu** to choose the AWS region where you would like to provision the cluster. | | **SSH Key Pair Name** | Choose the SSH key pair for the region you selected. SSH key pairs must be pre-configured in your AWS environment. This is called an EC2 Key Pair in AWS. The key you select is inserted into the provisioned VMs. | | **Cluster Endpoint Access** | This setting provides access to the Kubernetes API endpoint. Select **Private**, **Public** or **Private & Public**. If you are deploying your cluster in an [AWS Secret](./add-aws-accounts.md#aws-secret-cloud-account-us) region, use **Private & Public**. For more information, refer to the [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) reference guide. | From b41235e7099da9ce00ff9ea98f7a06bb1ef76fcc Mon Sep 17 00:00:00 2001 From: Amanda Churi Filanowski Date: Mon, 3 Feb 2025 09:33:25 -0500 Subject: [PATCH 05/12] Adjusting Getting Started AWS prereqs to account for updated partial --- docs/docs-content/getting-started/aws/setup.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/docs-content/getting-started/aws/setup.md b/docs/docs-content/getting-started/aws/setup.md index c1c58d1dea..26deedaa0b 100644 --- a/docs/docs-content/getting-started/aws/setup.md +++ b/docs/docs-content/getting-started/aws/setup.md @@ -18,14 +18,13 @@ section are centered around a fictional case study company, Spacetastic Ltd. ## Prerequisites -- A Palette account with [tenant admin](../../tenant-settings/tenant-settings.md) access. +- A Palette account with [tenant admin](../../tenant-settings/tenant-settings.md) access -- Sign up to a public cloud account from - [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account). The AWS cloud account - must have the required [IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md). +- A public [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) account -- An SSH key pair available in the region where you want to deploy the cluster. Check out the - [Create EC2 SSH Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html) for guidance. +- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + +- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role ## Enablement From 06df48aba694460d5fefbabc2f681fb9a1fefb62 Mon Sep 17 00:00:00 2001 From: achuribooks <182707758+achuribooks@users.noreply.github.com> Date: Mon, 3 Feb 2025 14:36:50 +0000 Subject: [PATCH 06/12] ci: auto-formatting prettier issues --- docs/docs-content/getting-started/aws/setup.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/getting-started/aws/setup.md b/docs/docs-content/getting-started/aws/setup.md index 26deedaa0b..2bbb11dd11 100644 --- a/docs/docs-content/getting-started/aws/setup.md +++ b/docs/docs-content/getting-started/aws/setup.md @@ -22,9 +22,11 @@ section are centered around a fictional case study company, Spacetastic Ltd. - A public [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) account -- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette +- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette -- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role +- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to + the Palette IAM user or IAM role ## Enablement From 25e096099095bb8f210b081cb3ba675139a160f5 Mon Sep 17 00:00:00 2001 From: Amanda Churi Filanowski Date: Mon, 3 Feb 2025 12:38:44 -0500 Subject: [PATCH 07/12] Incorporating suggestions from Carolina --- _partials/_aws-static-credentials-setup.mdx | 2 +- .../public-cloud/aws/add-aws-accounts.md | 77 ++++++++++--------- .../docs-content/getting-started/aws/setup.md | 8 +- 3 files changed, 45 insertions(+), 42 deletions(-) diff --git a/_partials/_aws-static-credentials-setup.mdx b/_partials/_aws-static-credentials-setup.mdx index 6810b2847a..b3fb0063a0 100644 --- a/_partials/_aws-static-credentials-setup.mdx +++ b/_partials/_aws-static-credentials-setup.mdx @@ -23,7 +23,7 @@ partial_name: aws-static-credentials - AWS Secret access key -5. **Validate** the credentials. +5. Click the **Validate** button to validate the credentials. 6. Once the credentials are validated, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index ddb37a735b..f455593ab4 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -37,12 +37,12 @@ Use the steps below to add an AWS cloud account using static access credentials. #### Prerequisites -- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access. - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or - [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. #### Add AWS Account to Palette @@ -60,17 +60,17 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST #### Prerequisites -- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access. - If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level to allow tenants to add AWS accounts using STS. For more information, refer to [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) - or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) + or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md). - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or - [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. #### Add AWS Account to Palette @@ -102,7 +102,7 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST 7. In Palette, paste the role ARN into the **ARN** field. -8. **Validate** the credentials. +8. Click the **Validate** button to validate the credentials. #### Validate @@ -123,12 +123,12 @@ Use the steps below to add an AWS cloud account using static access credentials. #### Prerequisites -- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access. - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or - [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. #### Add AWS GovCloud Account to Palette @@ -150,7 +150,7 @@ Use the steps below to add an AWS cloud account using static access credentials. - AWS Access key - AWS Secret access key -5. **Validate** the credentials. +5. Click the **Validate** button to validate the credentials. 6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. @@ -170,17 +170,17 @@ Use the steps below to add an AWS cloud account using STS credentials. #### Prerequisites -- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access +- A Palette account with [tenant admin](../../../tenant-settings/tenant-settings.md) access. - If you are using a self-hosted instance of Palette or VerteX, you must configure an AWS account at the instance-level to allow tenants to add AWS accounts using STS. For more information, refer to [Enable Adding AWS Accounts Using STS - Palette](../../../enterprise-version/system-management/configure-aws-sts-account.md) - or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md) + or [Enable Adding AWS Accounts Using STS - VerteX](../../../vertex/system-management/configure-aws-sts-account.md). - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or - [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. #### Add AWS GovCloud Account to Palette @@ -212,19 +212,17 @@ Use the steps below to add an AWS cloud account using STS credentials. 7. In Palette, paste the role ARN into the **ARN** input box. -8. **Validate** the credentials. +8. Click the **Validate** button to validate the credentials. #### Validate You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click on **Cloud Accounts**. -Your newly added AWS cloud account is listed under the AWS sections. +Your newly added AWS cloud account is listed under the AWS section. ## AWS Secret Cloud Account (US) -You can configure AWS Secret Cloud accounts in Palette VerteX to deploy AWS EKS clusters in the AWS Secret region. -Depending on your organization's compliance requirements, you can choose between standard authentication (standard -access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. +You can configure [AWS Secret Cloud]((https://aws.amazon.com/federal/secret-cloud/)) accounts in [Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. :::preview @@ -232,7 +230,7 @@ access credentials) or secure compliance validation using your SC2S Access Porta ### Limitations -- Only Amazon Linux 2-based container images and operating systems are supported for workloads and Kubernetes nodes. +- Only Amazon Linux 2-based Amazon Machine Images are supported for Kubernetes control plane and worker nodes. Workloads running inside the cluster should use Amazon Linux 2-based container images to ensure compatibility with the node operating system. - User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for @@ -250,19 +248,18 @@ access credentials) or secure compliance validation using your SC2S Access Porta ### Prerequisites - [Palette VerteX installed](../../../vertex/install-palette-vertex/install-palette-vertex.md) and - [tenant admin](../../../tenant-settings/tenant-settings.md) access + [tenant admin](../../../tenant-settings/tenant-settings.md) access. - The **AwsSecretPartition** [feature flag](../../../vertex/system-management/feature-flags.md) enabled in the Palette - VerteX [system console](../../../vertex/system-management/system-management.md) + VerteX [system console](../../../vertex/system-management/system-management.md). - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or - [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette VerteX + [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette VerteX. - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or - IAM role + IAM role. -- A secure connection to your AWS Secret Cloud account, such as via a Private Cloud Gateway (PCG) or Wide Area Network - (WAN) tunnel +- A secure connection to your AWS Secret Cloud account, such as via a [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do not require an existing Kubernetes cluster. ### Static Access Credentials @@ -270,7 +267,7 @@ Use the steps below to add an AWS Secret Cloud account using static access crede #### Add AWS Secret Cloud to Palette VerteX -1. Log in to [Palette](https://console.spectrocloud.com) as tenant admin. +1. Log in to Palette VerteX as tenant admin. 2. From the left **Main Menu**, click on **Tenant Settings**. @@ -291,7 +288,7 @@ Use the steps below to add an AWS Secret Cloud account using static access crede - **Certificate Authority:** Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. -5. **Validate** the credentials. +5. Click the **Validate** button to validate the credentials. 6. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. @@ -299,12 +296,12 @@ Use the steps below to add an AWS Secret Cloud account using static access crede 7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. -8. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and +8. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle **Connect Private Cloud Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. -9. **Confirm** your AWS Secret Cloud account. +9. Click **Confirm** to create your AWS Secret Cloud account. #### Validate @@ -318,7 +315,7 @@ Use the steps below to add an AWS Secret Cloud account using SCAP secure complia #### Add AWS Secret Cloud to Palette VerteX -1. Log in to [Palette](https://console.spectrocloud.com) as Tenant admin. +1. Log in to Palette VerteX as tenant admin. 2. From the left **Main Menu**, click on **Tenant Settings**. @@ -337,14 +334,14 @@ Use the steps below to add an AWS Secret Cloud account using SCAP secure complia | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Agency Name** | Enter the SCAP agency name. | | **Account Name** | Enter the SCAP account name or number. | - | **CAP/SCAP Role Name** | Enter the role name provided by SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | + | **CAP/SCAP Role Name** | Enter the role name provided by the SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | | **Role Prefix (Optional)** | Choose a prefix to standardize role names. If no prefix is provided, a default prefix of `PROJECT_` is used. For example, if the initial role name is `DevOpsRole`, the full role name would be `PROJECT_DevOpsRole`. | | **Permission Boundary (Optional)** | If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN (for example, `arn:aws:iam::123456789012:policy/MyPermissionBoundaryPolicy`). Refer to the AWS [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) page for additional information on permission boundaries. | | **Certificate Authority** | Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. | | **User Certificate** | Paste your user-issued digital certificate in PEM-encoded format. | | **User Key** | Provide the private cryptographic key associated with the user certificate in PEM-encoded format. | -6. **Validate** the credentials. +6. Click the **Validate** button to validate the credentials. 7. Once the credentials are validated, verified by a green check mark, the **Add IAM Policies** toggle is displayed. Toggle **Add IAM Policies** on. @@ -352,12 +349,18 @@ Use the steps below to add an AWS Secret Cloud account using SCAP secure complia 8. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. -9. If you are using a PCG to connect to your AWS Secret Cloud account, toggle **Connect Private Cloud Gateway** on, and +9. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle **Connect Private Cloud Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. -10. **Confirm** your AWS Secret Cloud account. +10. Click **Confirm** to create your AWS Secret Cloud account. + +#### Validate + +You can verify that the account is available in Palette by reviewing the list of cloud accounts. To review the list of +cloud accounts, navigate to the left **Main Menu**. Click on **Tenant Settings**. Next, click **Cloud Accounts**. Your +newly added AWS cloud account is listed under the AWS section. ## Next Steps diff --git a/docs/docs-content/getting-started/aws/setup.md b/docs/docs-content/getting-started/aws/setup.md index 26deedaa0b..d378a9ab1d 100644 --- a/docs/docs-content/getting-started/aws/setup.md +++ b/docs/docs-content/getting-started/aws/setup.md @@ -18,13 +18,13 @@ section are centered around a fictional case study company, Spacetastic Ltd. ## Prerequisites -- A Palette account with [tenant admin](../../tenant-settings/tenant-settings.md) access +- A Palette account with [tenant admin](../../tenant-settings/tenant-settings.md) access. -- A public [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) account +- A public [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) account. -- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette +- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role +- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role. ## Enablement From 764d3d0b528db7e38100f368f3defbd844f38a5a Mon Sep 17 00:00:00 2001 From: achuribooks <182707758+achuribooks@users.noreply.github.com> Date: Mon, 3 Feb 2025 17:44:43 +0000 Subject: [PATCH 08/12] ci: auto-formatting prettier issues --- .../public-cloud/aws/add-aws-accounts.md | 39 ++++++++++++------- .../docs-content/getting-started/aws/setup.md | 6 ++- 2 files changed, 29 insertions(+), 16 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index f455593ab4..8b8a9319aa 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -42,7 +42,8 @@ Use the steps below to add an AWS cloud account using static access credentials. - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM + role. #### Add AWS Account to Palette @@ -70,7 +71,8 @@ Use the steps below to add an AWS cloud account using Security Token Service (ST - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM + role. #### Add AWS Account to Palette @@ -128,7 +130,8 @@ Use the steps below to add an AWS cloud account using static access credentials. - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM + role. #### Add AWS GovCloud Account to Palette @@ -180,7 +183,8 @@ Use the steps below to add an AWS cloud account using STS credentials. - An AWS account with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette IAM user or IAM + role. #### Add AWS GovCloud Account to Palette @@ -222,7 +226,10 @@ Your newly added AWS cloud account is listed under the AWS section. ## AWS Secret Cloud Account (US) -You can configure [AWS Secret Cloud]((https://aws.amazon.com/federal/secret-cloud/)) accounts in [Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. +You can configure [AWS Secret Cloud](<(https://aws.amazon.com/federal/secret-cloud/)>) accounts in +[Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your +organization's compliance requirements, you can choose between standard authentication (standard access credentials) or +secure compliance validation using your SC2S Access Portal (SCAP) credentials. :::preview @@ -230,7 +237,9 @@ You can configure [AWS Secret Cloud]((https://aws.amazon.com/federal/secret-clou ### Limitations -- Only Amazon Linux 2-based Amazon Machine Images are supported for Kubernetes control plane and worker nodes. Workloads running inside the cluster should use Amazon Linux 2-based container images to ensure compatibility with the node operating system. +- Only Amazon Linux 2-based Amazon Machine Images are supported for Kubernetes control plane and worker nodes. Workloads + running inside the cluster should use Amazon Linux 2-based container images to ensure compatibility with the node + operating system. - User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for @@ -259,7 +268,9 @@ You can configure [AWS Secret Cloud]((https://aws.amazon.com/federal/secret-clou - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or IAM role. -- A secure connection to your AWS Secret Cloud account, such as via a [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do not require an existing Kubernetes cluster. +- A secure connection to your AWS Secret Cloud account, such as via a + [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do + not require an existing Kubernetes cluster. ### Static Access Credentials @@ -296,9 +307,9 @@ Use the steps below to add an AWS Secret Cloud account using static access crede 7. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. -8. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle **Connect Private Cloud Gateway** on, and - select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud - Gateways** listed in **Tenant Settings**. For more information, refer to the +8. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle **Connect Private Cloud + Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the + **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. 9. Click **Confirm** to create your AWS Secret Cloud account. @@ -334,7 +345,7 @@ Use the steps below to add an AWS Secret Cloud account using SCAP secure complia | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Agency Name** | Enter the SCAP agency name. | | **Account Name** | Enter the SCAP account name or number. | - | **CAP/SCAP Role Name** | Enter the role name provided by the SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | + | **CAP/SCAP Role Name** | Enter the role name provided by the SCAP administrator. This role determines the AWS permissions granted to the account. Note that AWS Top Secret Cloud Access Portal (CAP) credentials are not supported at this time. | | **Role Prefix (Optional)** | Choose a prefix to standardize role names. If no prefix is provided, a default prefix of `PROJECT_` is used. For example, if the initial role name is `DevOpsRole`, the full role name would be `PROJECT_DevOpsRole`. | | **Permission Boundary (Optional)** | If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN (for example, `arn:aws:iam::123456789012:policy/MyPermissionBoundaryPolicy`). Refer to the AWS [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) page for additional information on permission boundaries. | | **Certificate Authority** | Paste the root, intermediate, or chain of trust certificate in PEM-encoded format. Contact your organization's security team or AWS Secret Cloud administrator to obtain this certificate. | @@ -349,9 +360,9 @@ Use the steps below to add an AWS Secret Cloud account using SCAP secure complia 8. Use the **drop-down Menu**, which lists available IAM policies in your AWS account, to select any desired IAM policies you want to assign to the Palette IAM role or IAM user. -9. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle **Connect Private Cloud Gateway** on, and - select a **Private Cloud Gateway** from the list. This list is populated automatically with the **Private Cloud - Gateways** listed in **Tenant Settings**. For more information, refer to the +9. If you are using a PCG to connect to your AWS Secret Cloud account to Palette VerteX, toggle **Connect Private Cloud + Gateway** on, and select a **Private Cloud Gateway** from the list. This list is populated automatically with the + **Private Cloud Gateways** listed in **Tenant Settings**. For more information, refer to the [Private Cloud Gateway](../../../clusters/pcg/pcg.md) page. 10. Click **Confirm** to create your AWS Secret Cloud account. diff --git a/docs/docs-content/getting-started/aws/setup.md b/docs/docs-content/getting-started/aws/setup.md index d378a9ab1d..3004329089 100644 --- a/docs/docs-content/getting-started/aws/setup.md +++ b/docs/docs-content/getting-started/aws/setup.md @@ -22,9 +22,11 @@ section are centered around a fictional case study company, Spacetastic Ltd. - A public [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) account. -- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. +- An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or + [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to + the Palette IAM user or IAM role. ## Enablement From 545484dd4f62dda1d51614c7111fff79a65da85f Mon Sep 17 00:00:00 2001 From: Amanda Churi Filanowski Date: Mon, 3 Feb 2025 14:57:13 -0500 Subject: [PATCH 09/12] Incorporating feedback from Carolina --- .../clusters/public-cloud/aws/add-aws-accounts.md | 13 +++---------- docs/docs-content/getting-started/aws/setup.md | 3 +-- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index 8b8a9319aa..0f5b906588 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -8,9 +8,7 @@ sidebar_position: 10 --- Palette supports integration with Amazon Web Services (AWS) Cloud Accounts, including -[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) -and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) accounts. This section explains how to create -an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account. +[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) accounts. This section explains how to create an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account. - AWS @@ -226,10 +224,7 @@ Your newly added AWS cloud account is listed under the AWS section. ## AWS Secret Cloud Account (US) -You can configure [AWS Secret Cloud](<(https://aws.amazon.com/federal/secret-cloud/)>) accounts in -[Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your -organization's compliance requirements, you can choose between standard authentication (standard access credentials) or -secure compliance validation using your SC2S Access Portal (SCAP) credentials. +You can configure [AWS Secret Cloud](https://aws.amazon.com/federal/secret-cloud/) accounts in [Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. :::preview @@ -268,9 +263,7 @@ secure compliance validation using your SC2S Access Portal (SCAP) credentials. - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or IAM role. -- A secure connection to your AWS Secret Cloud account, such as via a - [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do - not require an existing Kubernetes cluster. +- A secure connection to your AWS Secret Cloud account, such as via a [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do not require an existing Kubernetes cluster. ### Static Access Credentials diff --git a/docs/docs-content/getting-started/aws/setup.md b/docs/docs-content/getting-started/aws/setup.md index 3004329089..794999ff6b 100644 --- a/docs/docs-content/getting-started/aws/setup.md +++ b/docs/docs-content/getting-started/aws/setup.md @@ -25,8 +25,7 @@ section are centered around a fictional case study company, Spacetastic Ltd. - An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to - the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role. ## Enablement From bef3ced72f0f8a1b3f1df29a6fff54ca8bb3237f Mon Sep 17 00:00:00 2001 From: achuribooks <182707758+achuribooks@users.noreply.github.com> Date: Mon, 3 Feb 2025 20:00:32 +0000 Subject: [PATCH 10/12] ci: auto-formatting prettier issues --- .../clusters/public-cloud/aws/add-aws-accounts.md | 13 ++++++++++--- docs/docs-content/getting-started/aws/setup.md | 3 ++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index 0f5b906588..261ddc6773 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -8,7 +8,9 @@ sidebar_position: 10 --- Palette supports integration with Amazon Web Services (AWS) Cloud Accounts, including -[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) accounts. This section explains how to create an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account. +[AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/?whats-new-ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc) +and [AWS Secret Cloud (US)](https://aws.amazon.com/federal/secret-cloud/) accounts. This section explains how to create +an AWS cloud account in Palette. You can use any of the following authentication methods to register your cloud account. - AWS @@ -224,7 +226,10 @@ Your newly added AWS cloud account is listed under the AWS section. ## AWS Secret Cloud Account (US) -You can configure [AWS Secret Cloud](https://aws.amazon.com/federal/secret-cloud/) accounts in [Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your organization's compliance requirements, you can choose between standard authentication (standard access credentials) or secure compliance validation using your SC2S Access Portal (SCAP) credentials. +You can configure [AWS Secret Cloud](https://aws.amazon.com/federal/secret-cloud/) accounts in +[Palette VerteX](../../../vertex/vertex.md) to deploy AWS EKS clusters in the AWS Secret region. Depending on your +organization's compliance requirements, you can choose between standard authentication (standard access credentials) or +secure compliance validation using your SC2S Access Portal (SCAP) credentials. :::preview @@ -263,7 +268,9 @@ You can configure [AWS Secret Cloud](https://aws.amazon.com/federal/secret-cloud - An AWS account with the [required IAM policies](required-iam-policies.md) assigned to the Palette VerteX IAM user or IAM role. -- A secure connection to your AWS Secret Cloud account, such as via a [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do not require an existing Kubernetes cluster. +- A secure connection to your AWS Secret Cloud account, such as via a + [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do + not require an existing Kubernetes cluster. ### Static Access Credentials diff --git a/docs/docs-content/getting-started/aws/setup.md b/docs/docs-content/getting-started/aws/setup.md index 794999ff6b..3004329089 100644 --- a/docs/docs-content/getting-started/aws/setup.md +++ b/docs/docs-content/getting-started/aws/setup.md @@ -25,7 +25,8 @@ section are centered around a fictional case study company, Spacetastic Ltd. - An AWS account with an [IAM Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) or [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for Palette. -- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to the Palette IAM user or IAM role. +- An AWS account with the [required IAM policies](../../clusters/public-cloud/aws/required-iam-policies.md) assigned to + the Palette IAM user or IAM role. ## Enablement From 3dd77a082ad1ac64179b80b96fad7410633fe8fb Mon Sep 17 00:00:00 2001 From: Amanda Churi Filanowski Date: Mon, 3 Feb 2025 15:50:30 -0500 Subject: [PATCH 11/12] Apply suggestions from code review Co-authored-by: caroldelwing --- .../clusters/public-cloud/aws/add-aws-accounts.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index 261ddc6773..bd514dea1c 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -238,7 +238,7 @@ secure compliance validation using your SC2S Access Portal (SCAP) credentials. ### Limitations - Only Amazon Linux 2-based Amazon Machine Images are supported for Kubernetes control plane and worker nodes. Workloads - running inside the cluster should use Amazon Linux 2-based container images to ensure compatibility with the node + deployed in the cluster should use Linux-based container images to ensure compatibility with the node operating system. - User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters @@ -269,8 +269,7 @@ secure compliance validation using your SC2S Access Portal (SCAP) credentials. IAM role. - A secure connection to your AWS Secret Cloud account, such as via a - [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. PCGs do - not require an existing Kubernetes cluster. + [Private Cloud Gateway (PCG)](../../../clusters/pcg/pcg.md), Wide Area Network tunnel, or AWS Private Link. ### Static Access Credentials From 3b08b9f6d842c447315906e637715bc7f9efc2de Mon Sep 17 00:00:00 2001 From: achuribooks <182707758+achuribooks@users.noreply.github.com> Date: Mon, 3 Feb 2025 20:53:42 +0000 Subject: [PATCH 12/12] ci: auto-formatting prettier issues --- .../clusters/public-cloud/aws/add-aws-accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md index bd514dea1c..8d0a9c42a3 100644 --- a/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md +++ b/docs/docs-content/clusters/public-cloud/aws/add-aws-accounts.md @@ -238,8 +238,8 @@ secure compliance validation using your SC2S Access Portal (SCAP) credentials. ### Limitations - Only Amazon Linux 2-based Amazon Machine Images are supported for Kubernetes control plane and worker nodes. Workloads - deployed in the cluster should use Linux-based container images to ensure compatibility with the node - operating system. + deployed in the cluster should use Linux-based container images to ensure compatibility with the node operating + system. - User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in the AWS Secret region. As a result, applications or services that rely on custom CAs for