AWS BYOC

Please read through Bring Your Own Cloud (BYOC) to understand BYOC in more detail.

Deployment Options

  • Turnkey / default - creates a VPN and cluster for a fully managed install
  • BYO-VPN - requires the customer to provide a VPN

Overview

This document guides you through giving Streamkap access to provision software to your AWS account by creating an IAM role that trusted Streamkap IAM principal. Access is limited to the permissions defined in the following IAM policies:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:DescribeAddressesAttribute",
        "ec2:CreateNetworkAclEntry",
        "ecr:UntagResource",
        "eks:ListAccessEntries",
        "eks:CreateAccessEntry",
        "eks:DescribeAccessEntry",
        "eks:UpdateAccessEntry",
        "eks:AssociateAccessPolicy",
        "eks:DisassociateAccessPolicy",
        "eks:CreateAddon",
        "eks:DescribeAddon",
        "eks:UpdateAddon",
        "eks:DescribeAddonConfiguration",
        "eks:DescribeAddonVersions",
        "eks:ListAddons",
        "eks:ListAssociatedAccessPolicies",
        "eks:CreateCluster",
        "eks:DescribeCluster",
        "eks:CreateNodegroup",
        "eks:DescribeNodegroup",
        "eks:UpdateNodegroupVersion",
        "eks:TagResource",
        "eks:UntagResource",
        "eks:ListTagsForResource",
        "eks:DescribeUpdate",
        "iam:UntagPolicy",
        "iam:UntagRole",
        "kms:UntagResource",
        "logs:UntagResource",
        "logs:ListTagsForResource",
        "ec2:AllocateAddress",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateInternetGateway",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:CreateNatGateway",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:CreateVpc",
        "ec2:DescribeAddresses",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeLaunchTemplateVersions",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeNatGateways",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupReferences",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVpcClassicLink",
        "ec2:DescribeVpcClassicLinkDnsSupport",
        "ec2:DescribeVpcs",
        "ec2:ModifyLaunchTemplate",
        "ec2:ModifySubnetAttribute",
        "ec2:ModifyVpcAttribute",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RunInstances",
        "ecr:CreateRepository",
        "ecr:DescribeRepositories",
        "ecr:ListTagsForResource",
        "ecr:TagResource",
        "iam:AttachRolePolicy",
        "iam:CreateOpenIDConnectProvider",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:CreateRole",
        "iam:CreateServiceLinkedRole",
        "iam:GetOpenIDConnectProvider",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:TagOpenIDConnectProvider",
        "iam:TagPolicy",
        "iam:TagRole",
        "iam:UpdateAssumeRolePolicy",
        "kms:CreateAlias",
        "kms:CreateGrant",
        "kms:CreateKey",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListAliases",
        "kms:ListResourceTags",
        "kms:PutKeyPolicy",
        "kms:TagResource",
        "logs:CreateLogGroup",
        "logs:DescribeLogGroups",
        "logs:ListTagsLogGroup",
        "logs:PutRetentionPolicy",
        "logs:TagLogGroup",
        "logs:TagResource",
        "route53:ChangeResourceRecordSets",
        "route53:ChangeTagsForResource",
        "route53:CreateHostedZone",
        "route53:GetChange",
        "route53:GetHostedZone",
        "route53:ListResourceRecordSets",
        "route53:ListTagsForResource",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ]
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:DeleteNetworkAclEntry",
        "eks:DeleteAddon",
        "eks:DeleteCluster",
        "eks:DescribeCluster",
        "eks:DeleteNodegroup",
        "eks:DescribeNodegroup",
        "ec2:DeleteInternetGateway",
        "ec2:DeleteLaunchTemplate",
        "ec2:DeleteLaunchTemplateVersions",
        "ec2:DeleteNatGateway",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteSubnet",
        "ec2:DeleteTags",
        "ec2:DeleteVpc",
        "ec2:DescribeAddresses",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeLaunchTemplateVersions",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeNatGateways",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVpcClassicLink",
        "ec2:DescribeVpcClassicLinkDnsSupport",
        "ec2:DescribeVpcs",
        "ec2:DetachInternetGateway",
        "ec2:DetachNetworkInterface",
        "ec2:DisassociateAddress",
        "ec2:DisassociateRouteTable",
        "ec2:ReleaseAddress",
        "ec2:RevokeSecurityGroupIngress",
        "ecr:DeleteRepository",
        "ecr:DescribeRepositories",
        "ecr:ListTagsForResource",
        "iam:DeleteOpenIDConnectProvider",
        "iam:DeletePolicy",
        "iam:DeletePolicyVersion",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:GetOpenIDConnectProvider",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "kms:DeleteAlias",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListAliases",
        "kms:ListResourceTags",
        "kms:RetireGrant",
        "kms:ScheduleKeyDeletion",
        "logs:DeleteLogGroup",
        "logs:DescribeLogGroups",
        "logs:ListTagsLogGroup",
        "route53:ChangeTagsForResource",
        "route53:DeleteHostedZone",
        "route53:GetDNSSEC",
        "route53:GetHostedZone",
        "route53:ListResourceRecordSets",
        "route53:ListTagsForResource",
        "s3:GetObject",
        "s3:ListBucket"
      ]
    }
  ]
}

📘

Please note that this will happen in a sub-account/subnet that is connected to your main hub.

Here are the steps:

  1. Create an IAM policy granting permission to provision an install.
  2. Create an IAM policy granting permision to deprovision an install.
  3. Create an IAM role that uses those policies, and grants access to the vendor via a trust policy.
  4. Share the IAM role’s ARN with Streamkap.

Once the role is created and acknowledge by Streamkap team, we will handle the deployment. In the final result, you should see the BYOC deployment is added as a new service in your Streamkap account.

Using AWS Console

1. Create the Provision Policy

  • In the AWS console, navigate to the IAM control panel.
  • Navigate to “Policies”.
  • Click the orange “Create Policy” policy button
  • Look for the “Policy editor”, where “visual” will be selected. Select “JSON”.
  • Replace the entire policy contents JSON with the contents of the StreamkapProvisionAccess.json mentioned above
  • Below the editor, click the orange “Next” button.
  • Name the policy StreamkapProvisionAccess, and click “Create policy” at the bottom.

2. Create the Deprovision Policy

  • In the AWS console, navigate to the IAM control panel.

Navigate to “Policies”.

Click the orange “Create Policy” policy button

Look for the “Policy editor” component group, where “visual” will be selected. Select “JSON”.

Replace the entire policy contents JSON with the IAM policy StreamkapDeprovisionAccess.jsonas mentioned above

  • Below the editor, click the orange “Next” button.
  • Name the policy StreamkapDeprovisionAccess, and click “Create policy” at the bottom.

3. Create the Access Role

  • Return to the IAM dashboard and navigate to “Roles
  • Click the orange “Create role” button.
  • Under “trusted entity type”, select “Custom trust policy
  • This will reveal a JSON editor field with the heading “Custom trust policy”.
  • Replace the entire trust policy contents with the following.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::300973880807:role/installer-delegation"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • Click “Next” at the bottom of the page.
  • Search for the StreamkapProvisionAccess and StreamkapDeprovisionAccess policies and check the boxes.
  • Click “Next
  • Name the role StreamkapInstallAccess (or another name of your choice). The page should look like this:
  • Click “Create role
  • On the role page, locate the ARN field and make note of the value. It should take the form arn:aws:iam::{some number}:role/StreamkapInstallAccess .
  • Copy the role ARN from earlier and sent it back to us.

Using Cloudformation

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  StreamkapProvisionAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "StreamkapProvisionAccess"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Action:
              - "ec2:DescribeAddressesAttribute"
              - "ec2:CreateNetworkAclEntry"
              - "ecr:UntagResource"
              - "eks:ListAccessEntries"
              - "eks:CreateAccessEntry"
              - "eks:DescribeAccessEntry"
              - "eks:UpdateAccessEntry"
              - "eks:AssociateAccessPolicy"
              - "eks:DisassociateAccessPolicy"
              - "eks:CreateAddon"
              - "eks:DescribeAddon"
              - "eks:UpdateAddon"
              - "eks:DescribeAddonConfiguration"
              - "eks:DescribeAddonVersions"
              - "eks:ListAddons"
              - "eks:ListAssociatedAccessPolicies"
              - "eks:CreateCluster"
              - "eks:DescribeCluster"
              - "eks:CreateNodegroup"
              - "eks:DescribeNodegroup"
              - "eks:UpdateNodegroupVersion"
              - "eks:TagResource"
              - "eks:UntagResource"
              - "eks:ListTagsForResource"
              - "eks:DescribeUpdate"
              - "iam:UntagPolicy"
              - "iam:UntagRole"
              - "kms:UntagResource"
              - "logs:UntagResource"
              - "logs:ListTagsForResource"
              - "ec2:AllocateAddress"
              - "ec2:AssociateRouteTable"
              - "ec2:AttachInternetGateway"
              - "ec2:AuthorizeSecurityGroupEgress"
              - "ec2:AuthorizeSecurityGroupIngress"
              - "ec2:CreateInternetGateway"
              - "ec2:CreateLaunchTemplate"
              - "ec2:CreateLaunchTemplateVersion"
              - "ec2:CreateNatGateway"
              - "ec2:CreateRoute"
              - "ec2:CreateRouteTable"
              - "ec2:CreateSecurityGroup"
              - "ec2:CreateSubnet"
              - "ec2:CreateTags"
              - "ec2:CreateVpc"
              - "ec2:DescribeAddresses"
              - "ec2:DescribeAvailabilityZones"
              - "ec2:DescribeInternetGateways"
              - "ec2:DescribeLaunchTemplateVersions"
              - "ec2:DescribeLaunchTemplates"
              - "ec2:DescribeNatGateways"
              - "ec2:DescribeNetworkAcls"
              - "ec2:DescribeRouteTables"
              - "ec2:DescribeSecurityGroupReferences"
              - "ec2:DescribeSecurityGroupRules"
              - "ec2:DescribeSecurityGroups"
              - "ec2:DescribeSubnets"
              - "ec2:DescribeTags"
              - "ec2:DescribeVpcAttribute"
              - "ec2:DescribeVpcClassicLink"
              - "ec2:DescribeVpcClassicLinkDnsSupport"
              - "ec2:DescribeVpcs"
              - "ec2:ModifyLaunchTemplate"
              - "ec2:ModifySubnetAttribute"
              - "ec2:ModifyVpcAttribute"
              - "ec2:RevokeSecurityGroupEgress"
              - "ec2:RunInstances"
              - "ecr:CreateRepository"
              - "ecr:DescribeRepositories"
              - "ecr:ListTagsForResource"
              - "ecr:TagResource"
              - "iam:AttachRolePolicy"
              - "iam:CreateOpenIDConnectProvider"
              - "iam:CreatePolicy"
              - "iam:CreatePolicyVersion"
              - "iam:CreateRole"
              - "iam:CreateServiceLinkedRole"
              - "iam:GetOpenIDConnectProvider"
              - "iam:GetPolicy"
              - "iam:GetPolicyVersion"
              - "iam:GetRole"
              - "iam:GetRolePolicy"
              - "iam:ListAttachedRolePolicies"
              - "iam:ListRolePolicies"
              - "iam:PassRole"
              - "iam:PutRolePolicy"
              - "iam:TagOpenIDConnectProvider"
              - "iam:TagPolicy"
              - "iam:TagRole"
              - "iam:UpdateAssumeRolePolicy"
              - "kms:CreateAlias"
              - "kms:CreateGrant"
              - "kms:CreateKey"
              - "kms:DescribeKey"
              - "kms:GetKeyPolicy"
              - "kms:GetKeyRotationStatus"
              - "kms:ListAliases"
              - "kms:ListResourceTags"
              - "kms:PutKeyPolicy"
              - "kms:TagResource"
              - "logs:CreateLogGroup"
              - "logs:DescribeLogGroups"
              - "logs:ListTagsLogGroup"
              - "logs:PutRetentionPolicy"
              - "logs:TagLogGroup"
              - "logs:TagResource"
              - "route53:ChangeResourceRecordSets"
              - "route53:ChangeTagsForResource"
              - "route53:CreateHostedZone"
              - "route53:GetChange"
              - "route53:GetHostedZone"
              - "route53:ListResourceRecordSets"
              - "route53:ListTagsForResource"
              - "s3:GetObject"
              - "s3:ListBucket"
              - "s3:PutObject"
            Resource: "*"
  StreamkapDeprovisionAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "StreamkapDeprovisionAccess"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Action:
              - "ec2:DeleteNetworkAclEntry"
              - "eks:DeleteAddon"
              - "eks:DeleteCluster"
              - "eks:DescribeCluster"
              - "eks:DeleteNodegroup"
              - "eks:DescribeNodegroup"
              - "ec2:DeleteInternetGateway"
              - "ec2:DeleteLaunchTemplate"
              - "ec2:DeleteLaunchTemplateVersions"
              - "ec2:DeleteNatGateway"
              - "ec2:DeleteNetworkInterface"
              - "ec2:DeleteRoute"
              - "ec2:DeleteRouteTable"
              - "ec2:DeleteSecurityGroup"
              - "ec2:DeleteSubnet"
              - "ec2:DeleteTags"
              - "ec2:DeleteVpc"
              - "ec2:DescribeAddresses"
              - "ec2:DescribeInternetGateways"
              - "ec2:DescribeLaunchTemplateVersions"
              - "ec2:DescribeLaunchTemplates"
              - "ec2:DescribeNatGateways"
              - "ec2:DescribeNetworkAcls"
              - "ec2:DescribeNetworkInterfaces"
              - "ec2:DescribeRouteTables"
              - "ec2:DescribeSecurityGroupRules"
              - "ec2:DescribeSecurityGroups"
              - "ec2:DescribeSubnets"
              - "ec2:DescribeTags"
              - "ec2:DescribeVpcAttribute"
              - "ec2:DescribeVpcClassicLink"
              - "ec2:DescribeVpcClassicLinkDnsSupport"
              - "ec2:DescribeVpcs"
              - "ec2:DetachInternetGateway"
              - "ec2:DetachNetworkInterface"
              - "ec2:DisassociateAddress"
              - "ec2:DisassociateRouteTable"
              - "ec2:ReleaseAddress"
              - "ec2:RevokeSecurityGroupIngress"
              - "ecr:DeleteRepository"
              - "ecr:DescribeRepositories"
              - "ecr:ListTagsForResource"
              - "iam:DeleteOpenIDConnectProvider"
              - "iam:DeletePolicy"
              - "iam:DeletePolicyVersion"
              - "iam:DeleteRole"
              - "iam:DeleteRolePolicy"
              - "iam:DetachRolePolicy"
              - "iam:GetOpenIDConnectProvider"
              - "iam:GetPolicy"
              - "iam:GetPolicyVersion"
              - "iam:GetRole"
              - "iam:GetRolePolicy"
              - "iam:ListAttachedRolePolicies"
              - "iam:ListInstanceProfilesForRole"
              - "iam:ListPolicyVersions"
              - "iam:ListRolePolicies"
              - "kms:DeleteAlias"
              - "kms:DescribeKey"
              - "kms:GetKeyPolicy"
              - "kms:GetKeyRotationStatus"
              - "kms:ListAliases"
              - "kms:ListResourceTags"
              - "kms:RetireGrant"
              - "kms:ScheduleKeyDeletion"
              - "logs:DeleteLogGroup"
              - "logs:DescribeLogGroups"
              - "logs:ListTagsLogGroup"
              - "route53:ChangeTagsForResource"
              - "route53:DeleteHostedZone"
              - "route53:GetDNSSEC"
              - "route53:GetHostedZone"
              - "route53:ListResourceRecordSets"
              - "route53:ListTagsForResource"
              - "s3:GetObject"
              - "s3:ListBucket"
            Resource: "*"
  StreamkapInstallAccessRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "StreamkapInstallAccess"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              AWS: "arn:aws:iam::300973880807:role/installer-delegation"
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref StreamkapProvisionAccessPolicy
        - !Ref StreamkapDeprovisionAccessPolicy