Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(VpcPeering): improve tutorial to identify correct principals #992

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+20 −10
Open

docs(VpcPeering): improve tutorial to identify correct principals #992

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b0d424d
docs(VpcPeering): improve tutorial to identify correct principals
vandjelk Jan 30, 2025
e6e70d9
docs(VpcPeering): improve tutorial to identify correct principals
vandjelk Jan 30, 2025
87ca774
docs(VpcPeering): improve tutorial to identify correct principals
vandjelk Jan 30, 2025
2592e09
docs(VpcPeering): improve tutorial to identify correct principals
vandjelk Jan 30, 2025
43ff7ce
docs(VpcPeering): improve tutorial to identify correct principals
vandjelk Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions docs/user/resources/04-30-10-aws-vpc-peering.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ Cloud Manager uses [`AssumeRole`](https://awscli.amazonaws.com/v2/documentation/

Use the following table to identify Cloud Manager principal based on your Kyma landscape:

| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal |
|------------------------------------|----------------------------------------|------------------------------------------------------------|
| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal |
|------------------------------------|----------------------------------------|--------------------------------------------------------------|
| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` |
| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod` |

Expand Down Expand Up @@ -62,6 +62,11 @@ Use the following table to identify Cloud Manager principal based on your Kyma l

3. Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**:

## Required Actions in the Remote Project

Before creating the VPC peering, please tag your AWS account VPC with the Kyma shoot name tag.
For more information, check the [Create Virtual Private Cloud Peering in Amazon Web Services](../tutorials/01-30-10-aws-vpc-peering.md) tutorial.

## Deleting `AwsVpcPeering`

Kyma's underlying cloud provider VPC peering connection is deleted as a part of AwsVpcPeering deletion. The remote VPC
Expand Down
7 changes: 7 additions & 0 deletions docs/user/resources/04-30-30-azure-vpc-peering.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,13 @@ And assign the following Identity and Access Management (IAM) roles to the Cloud
* Classic Network Contributor
* Network Contributor

## Required Actions in the Remote Project

Before creating the VPC peering, please tag your Azure subscription VPC with the Kyma shoot name tag.
For more information, check the [Create Virtual Private Cloud Peering in Microsoft Azure](../tutorials/01-30-30-azure-vpc-peering.md) tutorial.



## Deleting `AzureVpcPeering`

Kyma's underlying cloud provider VPC peering connection is deleted as a part of the AzureVpcPeering deletion. The remote VPC
Expand Down
7 changes: 3 additions & 4 deletions docs/user/tutorials/01-30-10-aws-vpc-peering.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,18 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne
export AWS_REGION={REGION}
```

2. Create a trust policy document.
2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md#authorization) to identify Cloud Manager principal:

```shell
export PRINCIPAL_PROFILE_AWS_ACCOUNT_ID=194230256199
export USER_NAME=cloud-manager-peering-dev
export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL}
cat > trust_policy.json <<- EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$PRINCIPAL_PROFILE_AWS_ACCOUNT_ID:user/$USER_NAME"
"AWS": "$CLOUD_MANAGER_PRINCIPAL"
},
"Action": "sts:AssumeRole"
}
Expand Down
7 changes: 3 additions & 4 deletions docs/user/tutorials/01-30-30-azure-vpc-peering.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,11 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne
az account set --subscription $SUBSCRIPTION
```

2. Assign the required roles to the Cloud Manager peering service principal:

2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md#authorization) to identify Cloud Manager service principal:
```shell
export SUBSCRIPTION_ID=$(az account show --query id -o tsv)
export PRINCIPAL_NAME=kyma-cloud-manager-peering-stage
export OBJECT_ID=$(az ad sp list --display-name $PRINCIPAL_NAME --query "[].id" -o tsv)
export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL}
export OBJECT_ID=$(az ad sp list --display-name $CLOUD_MANAGER_PRINCIPAL --query "[].id" -o tsv)

az role assignment create --assignee $OBJECT_ID \
--role "Network Contributor" \
Expand Down
Loading