Configure cloud credentials

Your self-hosted Primary Site needs cloud credentials to import data from Edge Sites. Choose your cloud provider below for configuration steps.

Amazon Web Services (AWS)

Authenticate using IAM Roles associated with service accounts or access key and secret credentials.

Option 1: Service accounts

1. Create your IAM Roles with access to your primary site buckets

2. Set up the EKS OIDC provider for role assumption

3. Edit the Helm chart values.yaml file to enable service accounts and include the the IAM role's Amazon Resource Name (ARN) annotation for each of the deployments in the site.

   For example:

   inboxListener:
     deployment:
       serviceAccount:
         enabled: true
         annotations:
           eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxxxxx:role/foxglove-inbox-listener-sa-role

   Repeat for any of the following sections that are relevant to your site: inboxListener, indexer, queryService, garbageCollector.

Option 2: Access key

Create a cloud-credentials Secret in the foxglove namespace:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
  AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  AWS_DEFAULT_REGION: us-west-2

Apply the secret:

kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove

tip

To rotate keys, reapply this file with new values.

Azure

Create an Azure App and Service Principal using the Azure Terraform Example Templates.

You can find your AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET in the Terraform outputs.

If you already have an Azure App configured:

• Navigate to the "App registrations" section of the Azure portal
• Select your app from the list
• Note down the client and tenant IDs
• Create a new secret under "Certificates & secrets"

note

Azure secrets expire after 6 months by default. Update your secrets periodically to avoid service degradation.

With these variables ready, create a cloud-credentials Secret in the foxglove namespace:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
type: Opaque
stringData:
  AZURE_TENANT_ID: <put tenant id>
  AZURE_CLIENT_ID: <client id>
  AZURE_CLIENT_SECRET: <client secret>

Apply the secret:

kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove

tip

To rotate keys, reapply this file with new values.

Google Cloud Platform (GCP)

To access the storage buckets in GCP:

1. Create a service account with read and write access to the storage buckets
2. Create a key for the service account
3. Download and rename the key to credentials.json
4. Set the secret using kubectl:

kubectl create secret generic gcp-cloud-credential \
  -n foxglove \
  --from-file=./credentials.json

The Primary Site deployment will mount this secret into a volume and read the credentials.json file to initialize the GCP client.

S3-Compatible

Create a cloud-credentials Secret in the foxglove namespace:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
type: Opaque
stringData:
  S3_COMPATIBLE_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
  S3_COMPATIBLE_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  S3_COMPATIBLE_SERVICE_REGION: default
  S3_COMPATIBLE_SERVICE_URL: https://s3-compatible-service:6418

Apply the secret:

kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove

tip

To rotate keys, reapply this file with new values.