Skip to content

Credentials for AWS EC2

With Rafay, you can fully automate the provisioning and ongoing lifecycle management of "Rafay MKS, upstream Kubernetes Clusters" in all supported AWS regions.

With auto provisioning, you can have a cluster operational in just a few clicks. In order to do this, you need to provide credentials that allow programmatic access to Amazon AWS.

Two types of credentials are supported.

Credential Type Description
IAM Role Recommended for users of the SaaS Rafay Controller. This is the more secure option because you do not have to provision and manage secrets in the Rafay Controller.
IAM User Suited for users of the self hosted Rafay Controller esp. on non AWS environments.

Configure an IAM user in AWS with programmatic access for the Rafay Controller in your AWS account. Enable it with programmatic access and configure the access key and secret in the Rafay Cloud Credential

Option 1: AWS IAM Role

You will create a "Cloud Credential" which will be configured to use an IAM role for the SaaS Rafay Controller in your AWS account. You can reuse the cloud credential to provision as many clusters as necessary.

To configure an AWS IAM role, you will need the "Rafay AWS Account ID" and an "Unique External ID". Once the role is configured in AWS, you will provide Rafay with the role ARN (Amazon Resource Name).

Step 1: Create Cloud Credential

  • Sign into the Rafay Console and click on Infrastructure
  • Select "Cloud Credentials", Click on "New Credential"
  • Provide a unique name and select "AWS" in the "Provider" drop down.
  • Select "ROLE" in the "Credential Type" drop down as in the example below
  • We will be using the provided "Account ID" and "External ID" in the AWS Console
  • Once we have the ARN for the IAM Role, we will provide it here to create the cloud credential

Create Cloud Credential


Step 2: Create IAM Policy

  • Sign into the AWS Console and navigate to the IAM service
  • Create a new Policy, provide it with a name
  • Copy/Paste the JSON for the IAM Policy
  • Review and Save the policy

Step 3: Create IAM Role

  • In the AWS Console and navigate to the IAM service
  • Create a new Role, select another AWS Account as the Type
  • Copy/Paste the Account ID from the Rafay Cloud Credential (Step 1)
  • Enable "Require External ID" and copy/paste the External ID from the Rafay Cloud Credential (Step 1)

Create IAM Role

  • Click on "Next:Permissions"
  • Search for the Policy you created in Step 2 and select it

Select Policy

  • Click on the newly created Role
  • Copy the Role ARN

Step 4: Save Cloud Credential

  • Return to where you left off from Step 1
  • Paste the Role ARN from Step 3 and Save

Save Cloud Credential

The Rafay Controller will perform a validation with AWS to ensure that the provided information is correct. Once the cloud credential is saved, the administrator can view metadata.

View Cloud Credential


Option 2: AWS IAM User

We will be creating an "AWS IAM User" for Rafay attached with a minimal IAM policy required for auto provisioning.

Step 1: Create IAM Policy

  • Sign into the AWS Console.
  • Select "IAM' from Services
  • Select "Policies"
  • Click on "Add Policy"
  • Click on "Create Policy"

Set Permissions

  • Copy and Paste the IAM Policy provided at the bottom below into the JSON window

Create Policy

  • Click on Review Policy
  • Provide a name for the policy
  • Click on Create Policy

Review Policy


Step 2: Create IAM User

To ensure all actions performed by Rafay can be audited, we recommend that customers create a new "AWS IAM User".

  • Select "IAM' from Services
  • Select "Users"
  • Click on "Add User"

You will be presented with a "Guided Workflow"

  • Provide a username (In the example below, we have used "demos")
  • Enable "Programmatic Access" for Access Type
  • Click "Next:Permissions"

Add IAM User


Step 3: Attach Permissions to User

During auto provisioning, Rafay automatically creates and configures infrastructure on AWS for the Kubernetes Cluster.


  • VPC
  • Roles
  • Elastic IPs
  • Security Groups
  • Internet Gateway
  • NAT Gateway
  • Subnet Routes
  • SSH Keys
  • Instances
  • Volumes

  • Click on "Attach Existing Policies Directly"
  • Filter policies by the name of the policy you created in Step 1. In this example, we are looking for "Rafay_Auto_Provisioning_Policy".

Attach Policy

  • Click on "Next:Tags" (Optional)
  • Review the details and finalize

Attach Policy

  • Download the "CSV" containing the "Access Key ID" and "Secret Access Key"

Important

For security reasons, this information is not accessible later in AWS. Ensure that you do not skip this step because we will require this information when we create a Provider Profile for AWS in the Rafay Management Platform.


Step 4: Save Cloud Credential

  • Sign into the Rafay Console and click on Infrastructure
  • Select "Cloud Credentials", Click on "New Credential"
  • Provide a unique name and select "AWS" in the "Provider" drop down.
  • Select "ACCESS_KEY" in the "Credential Type" drop down.
  • Copy/Paste the Access Key and Secret Access Key from Step 3 into the provided fields and Save. Note that the Credential type is displayed in the Type column.

View Cloud Credential