Configure cloud credentials

Your self-hosted Primary Site needs cloud credentials to import data from Edge Sites. Choose your cloud provider below for configuration steps.

Amazon Web Services (AWS)
Azure
Google Cloud Platform (GCP)
S3-Compatible

Authenticate using IAM Roles associated with service accounts or access key and secret credentials.

Option 1: Service accounts

Create your IAM Roles with access to the lake and inbox buckets
Set up the EKS OIDC provider for role assumption
Edit the Helm chart's serviceAccount section to add the IAM Role's Amazon Resource Name (ARN) as an annotation for the inboxListener, streamService and garbageCollector services:

serviceAccount:
  enabled: true
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxxxxx:role/foxglove-inbox-listener-sa-role

Option 2: Access key

Create a cloud-credentials Secret in the foxglove namespace:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
  AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  AWS_DEFAULT_REGION: us-west-2

Apply the secret:

kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove

tip

To rotate keys, reapply this file with new values.

Create a cloud-credentials Secret in the foxglove namespace:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
type: Opaque
stringData:
  AZURE_TENANT_ID: tenant-id
  AZURE_CLIENT_ID: client-id
  AZURE_CLIENT_SECRET: f02f3819-b046-4c9d-a5e8-853f16e5c687
  AZURE_INBOX_STORAGE_SERVICE_URL: ...
  AZURE_INBOX_STORAGE_ACCOUNT_NAME: ...

Apply the secret:

kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove

tip

To rotate keys, reapply this file with new values.

To access the storage buckets in GCP:

Create a service account with read and write access to the storage buckets
Create a key for the service account
Download and rename the key to credentials.json
Set the secret using kubectl:

kubectl create secret generic gcp-cloud-credential \
  -n foxglove \
  --from-file=./credentials.json

The Primary Site deployment will mount this secret into a volume and read the credentials.json file to initialize the GCP client.

Create a cloud-credentials Secret in the foxglove namespace:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
type: Opaque
stringData:
  S3_COMPATIBLE_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
  S3_COMPATIBLE_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  S3_COMPATIBLE_SERVICE_REGION: default
  S3_COMPATIBLE_SERVICE_URL: https://s3-compatible-service:6418

Apply the secret:

kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove

tip

To rotate keys, reapply this file with new values.

Option 1: Service accounts​

Option 2: Access key​

Option 1: Service accounts

Option 2: Access key