Cloud Credentials

Objective

This guide provides instructions on how to create cloud API credentials using the guided wizards in VoltConsole. For more information on VoltConsole, please refer to concepts documentation.

Cloud credentials are used to access services provided by AWS, Azure, and GCP to create, read, update, or delete objects needed to deploy and manage your applications in public cloud environments via Volterra automation.


Prerequisites

Note: In case you do not have an account, see Create a Volterra Account.

  • Public cloud account with credentials, tenant definitions and certificates already created.

Note: Refer to the required permissions to create cloud resources in the Cloud Credentials Reference guides. These guides also provide instructions to create the roles and associated service accounts using the cloud formation templates.


Configuration

Perform the steps provided in the following chapters to create cloud credentials for various supported cloud providers.

Add Cloud Credentials

Perform the following steps to start creating cloud credentials object:

Step 1: Log into the VoltConsole and start Cloud Credentials object creation.

Select Manage from the configuration menu in the system tab. Select Site Management from the options. Click Cloud Credentials.

image2
Figure: Create Cloud Credentials

Step 2: Start creating cloud credentials. After clicking on the Add Cloud Credentials button in the middle of the page if this is your first entry or the link at the top of the page, type in a name for the credential you are creating. Optionally, you can add labels and a description to this entry.

image6
Figure: Cloud Credentials Metadata

Step 3: Select cloud credential type. Select a cloud credential type from the drop down menu. There are options for AWS programmatic access credentials, Azure credential client certificate, Azure client secret for service principal, and GCP credentials.

cred types
Figure: Cloud Credential Types

Configure Credentials

AWS Programmable Access Credentials

Perform the following steps for AWS programmable access credentials:

Note: Temporary security credentials such as credentials generated using AWS STS are not supported.

Step 1: Obtain your access key ID and secret from AWS.

Retrieve your access key id and secret you intend to use for accessing AWS API services from your AWS Management Console IAM Dashboard (AWS IAM Reference)

Step 2: Set the access key and configure secret.
  • Select AWS Programmable Access Credentials for the Select Cloud Credential Type field.
  • Enter the AWS Access Key ID that you retrieved from your AWS account

image8
Figure: Secret Access Key entry

  • Configure Secret Access Key by clicking on the Configure link below where you entered the Access Key ID.

image5
Figure: Secret Access Key entry

  • Secret information can be one of two types via drop-down

    • Blindfold Secret: Used for secrets managed by Volterra Secret Management Service (Recommended as this service provides a high level of security)
    • Clear Secret: Used for secrets that are not encrypted
  • Policy information can be one of two types via drop-down

    • Built-in: Provides a list of Volterra provided set of generic policies
    • Custom: Provides a list of user defined policies which have been defined under SystemSecuritySecrets
  • Type is the text or blindfold value of the AWS Secret Key. Enter the text value and click on the Blindfold button to generate the blindfold key based on the AWS Secret Key.

image9
Figure: Secret Access Key entry result after entering text and clicking on Blindfold (Click on Edit link to see this result)

image1
Figure: Entries for Azure Client Certificate

  • Once the key has been generated or entered, click Apply and then click Save and Exit button to exit the wizard and save your AWS credentials for use with Volterra services.

Azure Credential Client Certiricate

Perform the following steps for configuring Azure Credential Client Certificate for Service Principal:

Step 1: Obtain the authentication details from Azure.

Retrieve your Client ID, Subscription ID, Tenant ID, Certificate and Certificate Password you intend to use for accessing Azure API services from your Azure Portal (Azure Key Vault Reference) (Azure Key Vault Quick Start)

Step 2: Enter the identities and configure secret.
  • Select Azure Credential Client Certiricate for the Select Cloud Credential Type field.
  • Enter the Azure Client ID, Subscription ID and Tenant ID that you retrieved from your Azure account
  • Enter your Client Certificate in the following format:

    string:///<base64 encoded string of the certificate>

image7
Figure: Entries for Azure Client Secret

  • Click on the Configure link to enter the Certificate Password you retrieved from the Azure Portal and enter in the same manner as was done for the AWS Access Secret Key in the AWS Programmable Access Credentials chapter using either the Clear Secret or Blindfold Secret options.
  • Click Apply and then click Save and Exit.

Azure Client Secret for Service Principal Credentials

Perform the following steps to configure Azure client secret for service principal credentials:

Step 1: Obtain the authentication details from Azure.
Step 2: Enter the identities and configure secret.
  • Select Azure Client Secret for Service Principal Credentials for the Select Cloud Credential Type field.
  • Enter the Azure Client ID, Subscription ID and Tenant ID that you retrieved from your Azure account.

image3
Figure: Entries for Azure Client Secret

  • Click on the Configure link to enter the Secret Key you retrieved from the Azure Portal and enter in the same manner as was done for the AWS Secret Key in the AWS Programmable Access Credentials chapter using either the Clear Secret or Blindfold Secret options.
  • Click Apply and then click Save and Exit to complete creating Azure credentials.

GCP Credentials

Perform the following steps to configure GCP credentials:

Step 1: Obtain the authentication details from GCP.
Step 2: Configure the secret with the service account key.
  • Select GCP Credentials for the Select Cloud Credential Type field. Click Configure.

gcp type
Figure: GCP Credentials

  • Enter the service account Key you retrieved from the GCP and enter in the same manner as was done for the AWS Secret Key in the AWS Programmable Access Credentials chapter using either the Clear Secret or Blindfold Secret options.
  • Click Apply and then click Save and Exit to complete creating GCP cloud credentials.

Concepts


References