Configure cloud credentials
Self-hosted Primary Sites need additional cloud credentials to import data from its corresponding Foxglove Edge Sites.
Google Cloud Platform (GCP)
To access the strage buckets in GCP we will need to create a service account and configure the primary site to use the credentials of that account.
- Create a service account to give read and write access to the storage buckets in GCP.
- Create a key for the service account
- Download and rename the key to
credentials.json
- Use the
kubectl
command to set the secret from the existingcredentials.json
file.
kubectl create secret generic gcp-cloud-credential \
-n foxglove \
--from-file=./credentials.json
The Primary Site deployment will mount this secret into a volume and read the credentials.json
file to initialize the GCP client.
Amazon Web Services (AWS)
Authenticate using IAM Roles associated with service accounts or access key and secret credentials.
Service accounts
Create your IAM Roles
in AWS to have appropriate access to the lake
and inbox
buckets. Set up the EKS OIDC provider
to allow the roles assumed by the services.
Edit the serviceAccount
section in the Helm chart, and add the IAM Role's Amazon Resource Name (ARN) as annotation for
the inboxListener
, streamService
and garbageCollector
services:
serviceAccount:
enabled: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxxxxx:role/foxglove-inbox-listener-sa-role
Access key
Install a Secret named
cloud-credentials
into the foxglove
namespace. This secret should contain the credentials for your AWS key:
Check out the following example secret configuration file:
apiVersion: v1
kind: Secret
metadata:
name: cloud-credentials
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_DEFAULT_REGION: us-west-2
To rotate these keys, reapply this file with new values.
Example application of a secrets file:
kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove
S3-Compatible
The configuration is similar to AWS, but requires the addition of a service URL and uses different environment variable names.
Install a Secret named
cloud-credentials
into the foxglove
namespace. This secret should contain the credentials for your AWS key:
Check out the following example secret configuration file:
apiVersion: v1
kind: Secret
metadata:
name: cloud-credentials
type: Opaque
stringData:
S3_COMPATIBLE_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
S3_COMPATIBLE_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
S3_COMPATIBLE_SERVICE_REGION: default
S3_COMPATIBLE_SERVICE_URL: https://s3-compatible-service:6418
Example application of a secrets file:
kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove
Azure
Install a Secret named
cloud-credentials
into the foxglove
namespace. This secret should contain the credentials for your Azure account:
Check out the following example secret configuration file:
apiVersion: v1
kind: Secret
metadata:
name: cloud-credentials
type: Opaque
stringData:
AZURE_TENANT_ID: tenant-id
AZURE_CLIENT_ID: client-id
AZURE_CLIENT_SECRET: f02f3819-b046-4c9d-a5e8-853f16e5c687
AZURE_INBOX_STORAGE_SERVICE_URL: ...
AZURE_INBOX_STORAGE_ACCOUNT_NAME: ...
Example application of a secrets file:
kubectl apply -f ./cloud-credentials-secret.yaml -n foxglove