Skip to main content

Cloud Credentials

caution

The Ash Console is currently in beta and not production-ready. It is under active development and subject to breaking changes.

The Ash Console is a PaaS that allow you to deploy resources into your own cloud accounts/subscriptions/projects. To do so, you need to provide the Console with appropriate credentials.

Create cloud credentials​

caution

The Ash Console needs some high privileges to deploy resources into your cloud accounts/subscriptions/projects. We recommend you to create a dedicated account/subscription/project for the Console.

Check with your internal security team if you have any doubt.

The Ash Console needs specific permissions to deploy resources into your AWS account. We will create a custom policy and assign it to a new user.

Create a custom policy with limited permissions

Navigate to AWS IAM/Policies and create a new policy:

  1. Switch the editor to JSON mode and replace the content with the following JSON:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AshConsoleEC2Actions",
    "Effect": "Allow",
    "Action": [
    "ec2:AssociateIamInstanceProfile",
    "ec2:AttachVolume",
    "ec2:AuthorizeSecurityGroupIngress",
    "ec2:CreateSecurityGroup",
    "ec2:CreateTags",
    "ec2:CreateVolume",
    "ec2:DeleteSecurityGroup",
    "ec2:DeleteVolume",
    "ec2:DescribeAccountAttributes",
    "ec2:DescribeAvailabilityZones",
    "ec2:DescribeIamInstanceProfileAssociations",
    "ec2:DescribeInstances",
    "ec2:DescribeInstanceTypeOfferings",
    "ec2:DescribeInstanceTypes",
    "ec2:DescribeInternetGateways",
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribeRouteTables",
    "ec2:DescribeSecurityGroups",
    "ec2:DescribeSpotPriceHistory",
    "ec2:DescribeSubnets",
    "ec2:DescribeVolumes",
    "ec2:DescribeVpcs",
    "ec2:DetachVolume",
    "ec2:RevokeSecurityGroupIngress",
    "ec2:RunInstances",
    "ec2:TerminateInstances"
    ],
    "Resource": "*"
    },
    {
    "Sid": "AshConsoleIAMActions",
    "Effect": "Allow",
    "Action": [
    "iam:AddRoleToInstanceProfile",
    "iam:CreateInstanceProfile",
    "iam:CreateRole",
    "iam:DeleteInstanceProfile",
    "iam:DeleteRole",
    "iam:DeleteRolePolicy",
    "iam:GetInstanceProfile",
    "iam:GetRole",
    "iam:ListInstanceProfiles",
    "iam:ListRolePolicies",
    "iam:ListRoles",
    "iam:PassRole",
    "iam:PutRolePolicy",
    "iam:RemoveRoleFromInstanceProfile"
    ],
    "Resource": "*"
    },
    {
    "Sid": "AshConsoleSSMActions",
    "Effect": "Allow",
    "Action": [
    "ssm:ListInstanceAssociations",
    "ssm:UpdateInstanceInformation"
    ],
    "Resource": "*"
    }
    ]
    }
  2. Click on Next

  3. Review and create:

    • Name: AshConsole
  4. Click on Create policy

    AshConsole policy

Create a user and assign the custom policy

  1. Navigate to AWS IAM/Users and create a new user:

    1. User details:
      • User name: ash-console-creds-01
    2. Click on Next
    3. Set permissions:
      • Permissions options: Attach policies directly
      • Permissions policies: AshConsole
    4. Click on Next
    5. Click on Create user

    AshConsole user

  2. Go to the newly created user interface IAM/Users/ash-console-creds-01

    1. Navigate to the Security credentials tab
    2. Click on Create access key under Access keys
    3. Select the Other use case
    4. Set description tag: ash-console-access-key-01

    AshConsole access key

    1. Save the Access key and Secret access key somewhere safe

Add cloud credentials to the Console as a secret​

From the Ash Console project overview page, navigate to the Secrets tab:

  • Click on the Create Secret button.
  • Select the Amazon Web Services secret type.
  • Pick a name for your secret, e.g., my-aws-credentials.
  • Paste the Access and Secret keys generated in the previous step.
  • Click on the Create button.

Ash Console AWS secret create

You can now use the secret upon cloud region addition to a project!