AWS BYOC
Please read through Bring Your Own Cloud (BYOC) to understand BYOC in more detail.
Deployment Options
- Turnkey / default - creates a VPN and cluster for a fully managed install
- BYO-VPN - requires the customer to provide a VPN
Overview
This document guides you through giving Streamkap access to provision software to your AWS account by creating an IAM role that trusted Streamkap IAM principal. Access is limited to the permissions defined in the following IAM policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeAddressesAttribute",
"ec2:CreateNetworkAclEntry",
"ecr:UntagResource",
"eks:ListAccessEntries",
"eks:CreateAccessEntry",
"eks:DescribeAccessEntry",
"eks:UpdateAccessEntry",
"eks:AssociateAccessPolicy",
"eks:DisassociateAccessPolicy",
"eks:CreateAddon",
"eks:DescribeAddon",
"eks:UpdateAddon",
"eks:DescribeAddonConfiguration",
"eks:DescribeAddonVersions",
"eks:ListAddons",
"eks:ListAssociatedAccessPolicies",
"eks:CreateCluster",
"eks:DescribeCluster",
"eks:CreateNodegroup",
"eks:DescribeNodegroup",
"eks:UpdateNodegroupVersion",
"eks:TagResource",
"eks:UntagResource",
"eks:ListTagsForResource",
"eks:DescribeUpdate",
"iam:UntagPolicy",
"iam:UntagRole",
"kms:UntagResource",
"logs:UntagResource",
"logs:ListTagsForResource",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:ModifyLaunchTemplate",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:TagResource",
"iam:AttachRolePolicy",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagOpenIDConnectProvider",
"iam:TagPolicy",
"iam:TagRole",
"iam:UpdateAssumeRolePolicy",
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:TagResource",
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup",
"logs:TagResource",
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
]
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DeleteNetworkAclEntry",
"eks:DeleteAddon",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupIngress",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"kms:DeleteAlias",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:RetireGrant",
"kms:ScheduleKeyDeletion",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"route53:ChangeTagsForResource",
"route53:DeleteHostedZone",
"route53:GetDNSSEC",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetObject",
"s3:ListBucket"
]
}
]
}Please note that this will happen in a sub-account/subnet that is connected to your main hub.
Here are the steps:
- Create an IAM policy granting permission to provision an install.
- Create an IAM policy granting permision to deprovision an install.
- Create an IAM role that uses those policies, and grants access to the vendor via a trust policy.
- Share the IAM role’s ARN with Streamkap.
Once the role is created and acknowledge by Streamkap team, we will handle the deployment. In the final result, you should see the BYOC deployment is added as a new service in your Streamkap account.
Using AWS Console
1. Create the Provision Policy
- In the AWS console, navigate to the IAM control panel.
- Navigate to “Policies”.
- Click the orange “Create Policy” policy button
- Look for the “Policy editor”, where “visual” will be selected. Select “JSON”.
- Replace the entire policy contents JSON with the contents of the
StreamkapProvisionAccess.jsonmentioned above - Below the editor, click the orange “Next” button.
- Name the policy
StreamkapProvisionAccess, and click “Create policy” at the bottom.
2. Create the Deprovision Policy
- In the AWS console, navigate to the IAM control panel.
Navigate to “Policies”.
Click the orange “Create Policy” policy button
Look for the “Policy editor” component group, where “visual” will be selected. Select “JSON”.
Replace the entire policy contents JSON with the IAM policy StreamkapDeprovisionAccess.jsonas mentioned above
- Below the editor, click the orange “Next” button.
- Name the policy
StreamkapDeprovisionAccess, and click “Create policy” at the bottom.
3. Create the Access Role
- Return to the IAM dashboard and navigate to “Roles”
- Click the orange “Create role” button.
- Under “trusted entity type”, select “Custom trust policy”
- This will reveal a JSON editor field with the heading “Custom trust policy”.
- Replace the entire trust policy contents with the following.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::300973880807:role/installer-delegation"
},
"Action": "sts:AssumeRole"
}
]
}- Click “Next” at the bottom of the page.
- Search for the
StreamkapProvisionAccessandStreamkapDeprovisionAccesspolicies and check the boxes.
- Click “Next”
- Name the role
StreamkapInstallAccess(or another name of your choice). The page should look like this:
- Click “Create role”
- On the role page, locate the ARN field and make note of the value. It should take the form
arn:aws:iam::{some number}:role/StreamkapInstallAccess.
- Copy the role ARN from earlier and sent it back to us.
Using Cloudformation
AWSTemplateFormatVersion: "2010-09-09"
Resources:
StreamkapProvisionAccessPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "StreamkapProvisionAccess"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Action:
- "ec2:DescribeAddressesAttribute"
- "ec2:CreateNetworkAclEntry"
- "ecr:UntagResource"
- "eks:ListAccessEntries"
- "eks:CreateAccessEntry"
- "eks:DescribeAccessEntry"
- "eks:UpdateAccessEntry"
- "eks:AssociateAccessPolicy"
- "eks:DisassociateAccessPolicy"
- "eks:CreateAddon"
- "eks:DescribeAddon"
- "eks:UpdateAddon"
- "eks:DescribeAddonConfiguration"
- "eks:DescribeAddonVersions"
- "eks:ListAddons"
- "eks:ListAssociatedAccessPolicies"
- "eks:CreateCluster"
- "eks:DescribeCluster"
- "eks:CreateNodegroup"
- "eks:DescribeNodegroup"
- "eks:UpdateNodegroupVersion"
- "eks:TagResource"
- "eks:UntagResource"
- "eks:ListTagsForResource"
- "eks:DescribeUpdate"
- "iam:UntagPolicy"
- "iam:UntagRole"
- "kms:UntagResource"
- "logs:UntagResource"
- "logs:ListTagsForResource"
- "ec2:AllocateAddress"
- "ec2:AssociateRouteTable"
- "ec2:AttachInternetGateway"
- "ec2:AuthorizeSecurityGroupEgress"
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:CreateInternetGateway"
- "ec2:CreateLaunchTemplate"
- "ec2:CreateLaunchTemplateVersion"
- "ec2:CreateNatGateway"
- "ec2:CreateRoute"
- "ec2:CreateRouteTable"
- "ec2:CreateSecurityGroup"
- "ec2:CreateSubnet"
- "ec2:CreateTags"
- "ec2:CreateVpc"
- "ec2:DescribeAddresses"
- "ec2:DescribeAvailabilityZones"
- "ec2:DescribeInternetGateways"
- "ec2:DescribeLaunchTemplateVersions"
- "ec2:DescribeLaunchTemplates"
- "ec2:DescribeNatGateways"
- "ec2:DescribeNetworkAcls"
- "ec2:DescribeRouteTables"
- "ec2:DescribeSecurityGroupReferences"
- "ec2:DescribeSecurityGroupRules"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSubnets"
- "ec2:DescribeTags"
- "ec2:DescribeVpcAttribute"
- "ec2:DescribeVpcClassicLink"
- "ec2:DescribeVpcClassicLinkDnsSupport"
- "ec2:DescribeVpcs"
- "ec2:ModifyLaunchTemplate"
- "ec2:ModifySubnetAttribute"
- "ec2:ModifyVpcAttribute"
- "ec2:RevokeSecurityGroupEgress"
- "ec2:RunInstances"
- "ecr:CreateRepository"
- "ecr:DescribeRepositories"
- "ecr:ListTagsForResource"
- "ecr:TagResource"
- "iam:AttachRolePolicy"
- "iam:CreateOpenIDConnectProvider"
- "iam:CreatePolicy"
- "iam:CreatePolicyVersion"
- "iam:CreateRole"
- "iam:CreateServiceLinkedRole"
- "iam:GetOpenIDConnectProvider"
- "iam:GetPolicy"
- "iam:GetPolicyVersion"
- "iam:GetRole"
- "iam:GetRolePolicy"
- "iam:ListAttachedRolePolicies"
- "iam:ListRolePolicies"
- "iam:PassRole"
- "iam:PutRolePolicy"
- "iam:TagOpenIDConnectProvider"
- "iam:TagPolicy"
- "iam:TagRole"
- "iam:UpdateAssumeRolePolicy"
- "kms:CreateAlias"
- "kms:CreateGrant"
- "kms:CreateKey"
- "kms:DescribeKey"
- "kms:GetKeyPolicy"
- "kms:GetKeyRotationStatus"
- "kms:ListAliases"
- "kms:ListResourceTags"
- "kms:PutKeyPolicy"
- "kms:TagResource"
- "logs:CreateLogGroup"
- "logs:DescribeLogGroups"
- "logs:ListTagsLogGroup"
- "logs:PutRetentionPolicy"
- "logs:TagLogGroup"
- "logs:TagResource"
- "route53:ChangeResourceRecordSets"
- "route53:ChangeTagsForResource"
- "route53:CreateHostedZone"
- "route53:GetChange"
- "route53:GetHostedZone"
- "route53:ListResourceRecordSets"
- "route53:ListTagsForResource"
- "s3:GetObject"
- "s3:ListBucket"
- "s3:PutObject"
Resource: "*"
StreamkapDeprovisionAccessPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "StreamkapDeprovisionAccess"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Action:
- "ec2:DeleteNetworkAclEntry"
- "eks:DeleteAddon"
- "eks:DeleteCluster"
- "eks:DescribeCluster"
- "eks:DeleteNodegroup"
- "eks:DescribeNodegroup"
- "ec2:DeleteInternetGateway"
- "ec2:DeleteLaunchTemplate"
- "ec2:DeleteLaunchTemplateVersions"
- "ec2:DeleteNatGateway"
- "ec2:DeleteNetworkInterface"
- "ec2:DeleteRoute"
- "ec2:DeleteRouteTable"
- "ec2:DeleteSecurityGroup"
- "ec2:DeleteSubnet"
- "ec2:DeleteTags"
- "ec2:DeleteVpc"
- "ec2:DescribeAddresses"
- "ec2:DescribeInternetGateways"
- "ec2:DescribeLaunchTemplateVersions"
- "ec2:DescribeLaunchTemplates"
- "ec2:DescribeNatGateways"
- "ec2:DescribeNetworkAcls"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DescribeRouteTables"
- "ec2:DescribeSecurityGroupRules"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSubnets"
- "ec2:DescribeTags"
- "ec2:DescribeVpcAttribute"
- "ec2:DescribeVpcClassicLink"
- "ec2:DescribeVpcClassicLinkDnsSupport"
- "ec2:DescribeVpcs"
- "ec2:DetachInternetGateway"
- "ec2:DetachNetworkInterface"
- "ec2:DisassociateAddress"
- "ec2:DisassociateRouteTable"
- "ec2:ReleaseAddress"
- "ec2:RevokeSecurityGroupIngress"
- "ecr:DeleteRepository"
- "ecr:DescribeRepositories"
- "ecr:ListTagsForResource"
- "iam:DeleteOpenIDConnectProvider"
- "iam:DeletePolicy"
- "iam:DeletePolicyVersion"
- "iam:DeleteRole"
- "iam:DeleteRolePolicy"
- "iam:DetachRolePolicy"
- "iam:GetOpenIDConnectProvider"
- "iam:GetPolicy"
- "iam:GetPolicyVersion"
- "iam:GetRole"
- "iam:GetRolePolicy"
- "iam:ListAttachedRolePolicies"
- "iam:ListInstanceProfilesForRole"
- "iam:ListPolicyVersions"
- "iam:ListRolePolicies"
- "kms:DeleteAlias"
- "kms:DescribeKey"
- "kms:GetKeyPolicy"
- "kms:GetKeyRotationStatus"
- "kms:ListAliases"
- "kms:ListResourceTags"
- "kms:RetireGrant"
- "kms:ScheduleKeyDeletion"
- "logs:DeleteLogGroup"
- "logs:DescribeLogGroups"
- "logs:ListTagsLogGroup"
- "route53:ChangeTagsForResource"
- "route53:DeleteHostedZone"
- "route53:GetDNSSEC"
- "route53:GetHostedZone"
- "route53:ListResourceRecordSets"
- "route53:ListTagsForResource"
- "s3:GetObject"
- "s3:ListBucket"
Resource: "*"
StreamkapInstallAccessRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "StreamkapInstallAccess"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::300973880807:role/installer-delegation"
Action: "sts:AssumeRole"
ManagedPolicyArns:
- !Ref StreamkapProvisionAccessPolicy
- !Ref StreamkapDeprovisionAccessPolicy
Updated about 10 hours ago