diff --git a/docs/user/00-30-vpc-peering.md b/docs/user/00-30-vpc-peering.md index 05a291ef..094820ed 100644 --- a/docs/user/00-30-vpc-peering.md +++ b/docs/user/00-30-vpc-peering.md @@ -18,10 +18,7 @@ You can configure Cloud Manager's VPC peering using a dedicated custom resource Before you initiate VPC peering from a Kyma cluster, you must perform the following actions: -* Authorize Cloud Manager in the remote cloud provider landscape. For more information, see the relevant documents for the following cloud providers: - * Amazon Web Services: See [Authorization](./resources/04-30-10-aws-vpc-peering.md#authorization). - * Google Cloud: See [Required Permissions in the Remote Project](./resources/04-30-20-gcp-vpc-peering.md#required-permissions-in-the-remote-project). - * Microsoft Azure: See [Authorization](./resources/04-30-30-azure-vpc-peering.md#authorization). +* Authorize Cloud Manager in the remote cloud provider landscape. For more information, see [Authorizing Cloud Manager in the Remote Cloud Provider](00-50-vpc-peering-authorization.md) * Tag the remote network with the Kyma shoot name. For more information, see the following tutorials: * [Create Virtual Private Cloud Peering in Amazon Web Services](./tutorials/01-30-10-aws-vpc-peering.md). * [Create Virtual Private Cloud Peering in Google Cloud](./tutorials/01-30-20-gcp-vpc-peering.md). diff --git a/docs/user/00-50-vpc-peering-authorization.md b/docs/user/00-50-vpc-peering-authorization.md new file mode 100644 index 00000000..4b14299e --- /dev/null +++ b/docs/user/00-50-vpc-peering-authorization.md @@ -0,0 +1,94 @@ +# Authorizing Cloud Manager in the Remote Cloud Provider + +To create VPC peering in the Kyma environment, you must authorize the Cloud Manager module in the remote cloud provider to accept the connection. + +## Amazon Web Services + +For cross-account access in Amazon Web Services, Cloud Manager uses `AssumeRole`. `AssumeRole` requires specifying the trusted principle. For more information, see the [official Amazon Web Services documentation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html). + +Use the following table to identify the Cloud Manager principal based on your Kyma landscape. Then perform the required actions: + +| BTP Cockpit URL | Kyma Dashboard URL | Cloud Manager Principal | +|------------------------------------|----------------------------------------|--------------------------------------------------------------| +| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` | +| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod` | + +1. Create a new role named **CloudManagerPeeringRole** with a trust policy that allows the Cloud Manager principal to assume the role: + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "{CLOUD_MANAGER_PRINCIPAL}" + }, + "Action": "sts:AssumeRole" + } + ] + } + + ``` + +2. Create a new **CloudManagerPeeringAccess** managed policy with the following permissions: + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement1", + "Effect": "Allow", + "Action": [ + "ec2:AcceptVpcPeeringConnection", + "ec2:DescribeVpcs", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeRouteTables", + "ec2:CreateRoute", + "ec2:CreateTags" + ], + "Resource": "*" + } + ] + } + ``` + +3. Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**. + +## Google Cloud + +Grant the following permissions to the Kyma service account in your GCP project: + +| Permission | Description | +|--------------------------------------|-----------------------------------------------------------------------------| +| `compute.networks.addPeering` | Required to create the peering request in the remote project and VPC. | +| `compute.networks.get` | Required to fetch the list of existing VPC peerings from the remote VPC. | +| `compute.networks.ListEffectiveTags` | Required to check if the remote VPC is tagged with the Kyma shoot name tag. | + +For more information on how to manage access to service accounts, see the [official Google Cloud documentation](https://cloud.google.com/iam/docs/manage-access-service-accounts). + +### Service Account + +For security reasons, each Kyma landscape has its own service account. Use the following table to identify the correct Cloud Manager service account for your Kyma landscape: + +| BTP Cockpit URL | Kyma Dashboard URL | Cloud Manager Service Account | +|------------------------------------|----------------------------------------|------------------------------------------------------------------------| +| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `cloud-manager-peering@sap-ti-dx-kyma-mps-stage.iam.gserviceaccount.com` | +| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `cloud-manager-peering@sap-ti-dx-kyma-mps-prod.iam.gserviceaccount.com` | + +## Microsoft Azure + +Microsoft Azure requires specifying the service principal. Use the following table to identify the Cloud Manager service principal based on your Kyma landscape: + +| BTP Cockpit URL | Kyma Dashboard URL | Cloud Manager Service Principal | +|------------------------------------|----------------------------------------|----------------------------------| +| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | kyma-cloud-manager-peering-stage | +| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | kyma-cloud-manager-peering-prod | + +Assign the following Identity and Access Management (IAM) roles to the Cloud Manager service principal: + +* Classic Network Contributor +* Network Contributor + +For more information, see the official Microsoft Azure documentation on how to [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) and how to [Manage service principals](https://learn.microsoft.com/en-us/azure/databricks/admin/users-groups/service-principals). diff --git a/docs/user/resources/04-30-10-aws-vpc-peering.md b/docs/user/resources/04-30-10-aws-vpc-peering.md index b93049bf..45ad4edd 100644 --- a/docs/user/resources/04-30-10-aws-vpc-peering.md +++ b/docs/user/resources/04-30-10-aws-vpc-peering.md @@ -7,61 +7,6 @@ of the same cloud provider. Once an `AwsVpcPeering` CR is created and reconciled, the Cloud Manager controller creates a VPC peering connection in the Kyma cluster underlying cloud provider account and accepts VPC peering connection in the remote cloud provider account. -## Authorization - -Cloud Manager must be authorized in the remote cloud provider account to accept VPC peering connection. For cross-account access, -Cloud Manager uses [`AssumeRole`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html). - -Use the following table to identify Cloud Manager principal based on your Kyma landscape: - -| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal | -|------------------------------------|----------------------------------------|--------------------------------------------------------------| -| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` | -| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod` | - -1. Create a new role named **CloudManagerPeeringRole** with a trust policy that allows Cloud Manager principal to assume the role: - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "{CLOUD_MANAGER_PRINCIPAL}" - }, - "Action": "sts:AssumeRole" - } - ] - } - - ``` - -2. Create a new managed policy **CloudManagerPeeringAccess** with the following permissions: - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "ec2:AcceptVpcPeeringConnection", - "ec2:DescribeVpcs", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeRouteTables", - "ec2:CreateRoute", - "ec2:CreateTags" - ], - "Resource": "*" - } - ] - } - ``` - -3. Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**: - ## Required Actions in the Remote Project Before creating the VPC peering, please tag your AWS account VPC with the Kyma shoot name tag. diff --git a/docs/user/resources/04-30-20-gcp-vpc-peering.md b/docs/user/resources/04-30-20-gcp-vpc-peering.md index eebbc65a..a56264cf 100644 --- a/docs/user/resources/04-30-20-gcp-vpc-peering.md +++ b/docs/user/resources/04-30-20-gcp-vpc-peering.md @@ -4,35 +4,11 @@ The `gcpvpcpeering.cloud-resources.kyma-project.io` custom resource (CR) describ that you can create to allow communication between Kyma and a remote VPC in Google Cloud Platform (GCP). It enables you to consume services available in the remote VPC from the Kyma cluster. -## Required Permissions in the Remote Project - -To create VPC peering, the following permissions must be granted to the Kyma service account in your GCP project: - -| Permission | Description | -|--------------------------------------|-----------------------------------------------------------------------------| -| `compute.networks.addPeering` | Required to create the peering request in the remote project and VPC. | -| `compute.networks.get` | Required to fetch the list of existing VPC peerings from the remote VPC. | -| `compute.networks.ListEffectiveTags` | Required to check if the remote VPC is tagged with the Kyma shoot name tag. | - -For more information on how to manage access to service accounts, see the [Google Cloud documentation](https://cloud.google.com/iam/docs/manage-access-service-accounts). - -### Service Account - -For security reasons, each Kyma landscape has its own service account. -Use the following table to identify the correct Cloud Manager service account for your Kyma landscape: - -| BTP cockpit URL | Kyma Dashboard URL | Cloud Manager service account | -|------------------------------------|----------------------------------------|------------------------------------------------------------------------| -| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `cloud-manager-peering@sap-ti-dx-kyma-mps-stage.iam.gserviceaccount.com` | -| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `cloud-manager-peering@sap-ti-dx-kyma-mps-prod.iam.gserviceaccount.com` | - - ## Required Actions in the Remote Project Before creating the VPC peering, please tag your GCP project's VPC with the Kyma shoot name tag. For more information, check the [Create Virtual Private Cloud Peering in Google Cloud](../tutorials/01-30-20-gcp-vpc-peering.md) tutorial. - ## Specification This table lists the parameters of the given resource together with their descriptions: @@ -72,4 +48,4 @@ spec: remoteProject: "my-remote-project" remoteVpc: "default" importCustomRoutes: false -``` \ No newline at end of file +``` diff --git a/docs/user/resources/04-30-30-azure-vpc-peering.md b/docs/user/resources/04-30-30-azure-vpc-peering.md index 371b5521..2d623303 100644 --- a/docs/user/resources/04-30-30-azure-vpc-peering.md +++ b/docs/user/resources/04-30-30-azure-vpc-peering.md @@ -8,29 +8,11 @@ Once an `AzureVpcPeering` CR is created and reconciled, the Cloud Manager contro the VPC network of the Kyma cluster in the underlying cloud provider subscription, and accepts a VPC peering connection in the remote cloud provider subscription. -## Authorization - -Cloud Manager must be authorized in the remote cloud provider subscription to accept a VPC peering connection. - -Use the following table to identify Cloud Manager service principal based on your Kyma landscape: - -| BTP cockpit URL | Kyma dashboard URL | Cloud Manager service principal | -|------------------------------------|----------------------------------------|----------------------------------| -| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | kyma-cloud-manager-peering-stage | -| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | kyma-cloud-manager-peering-prod | - -And assign the following Identity and Access Management (IAM) roles to the Cloud Manager service principal: - -* Classic Network Contributor -* Network Contributor - ## Required Actions in the Remote Project Before creating the VPC peering, please tag your Azure subscription VPC with the Kyma shoot name tag. For more information, check the [Create Virtual Private Cloud Peering in Microsoft Azure](../tutorials/01-30-30-azure-vpc-peering.md) tutorial. - - ## Deleting `AzureVpcPeering` Kyma's underlying cloud provider VPC peering connection is deleted as a part of the AzureVpcPeering deletion. The remote VPC diff --git a/docs/user/tutorials/01-30-10-aws-vpc-peering.md b/docs/user/tutorials/01-30-10-aws-vpc-peering.md index 40011b81..923f6dad 100644 --- a/docs/user/tutorials/01-30-10-aws-vpc-peering.md +++ b/docs/user/tutorials/01-30-10-aws-vpc-peering.md @@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne export AWS_REGION={REGION} ``` -2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md#authorization) to identify Cloud Manager principal: +2. Create a trust policy document. See [Authorizing Cloud Manager in the Remote Cloud Provider](../00-50-vpc-peering-authorization.md#amazon-web-services) to identify Cloud Manager principal: ```shell export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL} diff --git a/docs/user/tutorials/01-30-30-azure-vpc-peering.md b/docs/user/tutorials/01-30-30-azure-vpc-peering.md index 301ea9b7..4462f4fd 100644 --- a/docs/user/tutorials/01-30-30-azure-vpc-peering.md +++ b/docs/user/tutorials/01-30-30-azure-vpc-peering.md @@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne az account set --subscription $SUBSCRIPTION ``` -2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md#authorization) to identify Cloud Manager service principal: +2. Assign the required roles to the Cloud Manager peering service principal. See [Authorizing Cloud Manager in the Remote Cloud Provider](../00-50-vpc-peering-authorization.md#microsoft-azure) to identify Cloud Manager service principal: ```shell export SUBSCRIPTION_ID=$(az account show --query id -o tsv) export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL}