Skip to main content

Version: latest

Enable Adding AWS Accounts Using STS

VerteX allows tenants to use AWS Secret Token Service (STS) to add AWS cloud accounts to their VerteX environment. In order to do this, VerteX relies on another AWS cloud account that is configured on the VerteX instance to assume a custom role created on the tenant's AWS account.

This custom role establishes a trust relationship between the tenant's AWS account and the AWS account bound to the VerteX instance. It allows the VerteX-bound AWS account to receive temporary credentials from the tenant's AWS account to deploy infrastructure in AWS using STS. For more information on how to add an AWS cloud account to a tenant using STS, refer to the Add an AWS Account to Palette guide.

You must configure your VerteX instance with an STS AWS account before your tenants can add AWS cloud accounts to deploy clusters in AWS using STS. Without this configuration, the STS option will be greyed out when your tenants try to add an AWS account.

Prerequisites

Access to the VerteX system console.
The role of Root Administrator or Account Administrator.
An AWS IAM user that is allowed to assume cross-account IAM roles.

Enable Adding AWS Accounts Using STS

Open a terminal session.
Log in to the VerteX System API by using the /v1/auth/syslogin endpoint. Use the curl command below and replace the example.com placeholder URL with the URL of your VerteX instance. Ensure you replace the credentials below with your system console credentials.
```
TOKEN=$(curl --insecure --location 'https://example.com/v1/auth/syslogin' \
 --header 'Content-Type: application/json' \
 --data '{
 "password": "**********",
 "username": "**********"
 }')
```
Next, prepare a payload for the AWS account you want to configure. Use the following JSON payload as a template and replace the accessKey, secretKey, and accountId fields with the AWS access key, secret key, and account ID of your AWS account.
```
CONFIG_JSON=$(cat <<EOF
{
"accessKey": "**********",
"secretKey": "**********",
"accountId": "123456789"
}
EOF
)
```
This avoids exposing sensitive information in the command line.

Issue the following command to invoke the VerteX API to configure the AWS account to your instance.

AWS
AWS GOV

curl --request POST \
    --url https://<palette-api-url>/v1/system/config/aws/account \
    --header 'Authorization: $TOKEN' \
    --data '$CONFIG_JSON'

curl --request POST \
    --url https://<palette-api-url>/v1/system/config/awsgov/sts/account \
    --header 'Authorization: $TOKEN' \
    --data  '$CONFIG_JSON'

Validate

Open a terminal session.
Log in to the VerteX System API by using the /v1/auth/syslogin endpoint. Use the curl command below and replace the example.com placeholder URL with the URL of your VerteX instance. Ensure you replace the credentials below with your system console credentials.
```
TOKEN=$(curl --insecure --location 'https://example.com/v1/auth/syslogin' \
 --header 'Content-Type: application/json' \
 --data '{
 "password": "**********",
 "username": "**********"
 }')
```
Issue the following command to make an API call that confirms that the credentials were configured successfully.
```
curl --request GET \
        --url https://<palette-api-url>/v1/system/config/aws/account \
        --header 'Authorization: $TOKEN'
```
If you receive a response that contains the payload you configured, the configuration was successful.