Login to Cloud

AWS

AWS Account

Create an AWS account if you don’t have one, then login to AWS.

Please refer to Creating an AWS account for instructions.

Authentication to AWS CLI

First, install AWS CLI (command line interface) on your working machine. Please refer to Installing AWS CLI for detailed instructions.

After AWS CLI is installed, you need to configure AWS CLI about credentials. The quickest way to configure it is to run aws configure command, and you can refer to Managing access keys to get AWS Access Key ID and AWS Secret Access Key.

More details for AWS CLI can be found in AWS CLI getting started.

Azure

Azure Account

Create an Azure account if you don’t have one, then login to Microsoft Azure portal to get Subscription ID of your account.

Please refer to Creating an Azure account for instructions.

Authentication to Azure CLI

After CloudTik is installed on your working machine, login to Azure using az login. Refer to Signing in with Azure CLI for more details.

GCP

Google Cloud Account

Created a Google Cloud account if you don’t have one, then login to GCP.

Please refer to Creating a GCP account for instructions.

Creating a Google Cloud Project

Google Cloud projects form the basis for creating, enabling, and using all Google Cloud services. Create a project within your Google Cloud account.

Please refer to Creating projects for instructions.

Authentication calls to Google Cloud APIs

User have two options to authenticate to Google Cloud.

  • Authenticate with service account

  • Authenticate with user account

Please refer to Authentication Principal for detailed information as to these two methods.

Authenticate with Service Account

First, follow Creating a service account to create a service account on Google Cloud.

To use the service account through API, you need a service account key. Refer to Create and manage service account keys for details.

A JSON key file should be safely downloaded to your local computer, and then set the GOOGLE_APPLICATION_CREDENTIALS environment variable as described in the Setting the environment variable on your working machine.

Authenticate with user account

If you have a user account with the right permissions, You can authenticate using gcloud command. After you have authenticated, You need to configure credentials in the workspace configuration file or cluster configuration file with OAuth token information.

After you authenticated using gcloud, you can find a file named “adc.json” in ~/.config/gcloud/legacy_credentials/your_account_name folder. Using the information from this file, you can configure workspace configuration file or cluster configuration file as following:

# Cloud-provider specific configuration.
provider:
    type: gcp
    region: us-central1
    availability_zone: us-central1-a
    project_id: your_project_id
    # Use allowed_ssh_sources to allow SSH access from your client machine
    allowed_ssh_sources:
      - 0.0.0.0/0
    gcp_credentials:
        type: oauth_token
        credentials:
            token: nil
            client_id: "your_client_id"
            client_secret: "your_client_secret"
            token_uri: https://oauth2.googleapis.com/token
            refresh_token: "your_refresh_token"

Alibaba Cloud

CloudTik will try a few credentials options and use them automatically if one of them is found.

  • Environment variables for access key id and secret

  • CloudTik configuration file

  • Alibaba Cloud API Configuration file

Please note that Aliyun CLI login credentials will not be used by CloudTik.

Environment variables

The simple way to set up Alibaba Cloud credentials for CloudTik use is to export the access key ID and access key secret of your cloud account:

export ALIBABA_CLOUD_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

CloudTik configuration file

You can specify the access key id and secret in CloudTik workspace or cluster configuration file.

For example,

# Cloud-provider specific configuration.
provider:
    type: aliyun
    region: cn-shanghai
    aliyun_credentials:
        aliyun_access_key_id: your-access-key-id
        aliyun_access_key_secret: your-access-key-secret

or with the optional security token for STS authentication,

# Cloud-provider specific configuration.
provider:
    type: aliyun
    region: cn-shanghai
    aliyun_credentials:
        aliyun_access_key_id: your-access-key-id
        aliyun_access_key_secret: your-access-key-secret
        aliyun_security_token: your-security-token

Alibaba Cloud API Configuration file

You can also use a configuration file to cover many other cases.

Please refer to Configure credentials: Configuration file section for more details.

Kubernetes

If you are running CloudTik on a generic Kubernetes cluster, the authentication setup is simple. You just need to authenticate your kubectl at your working machine to be able to access the Kubernetes cluster.

AWS EKS

If you are running CloudTik on AWS EKS, CloudTik has more integration with AWS EKS so that your CloudTik cluster running on EKS can access the S3 storage with IAM CloudTik workspace IAM roles.

You need not only to authenticate your kubectl at your working machine to be able to access the Kubernetes cluster, but also setup your AWS credentials following the steps in AWS section above.

Instead of setting the cloud provider configurations at ‘provider” section, for EKS, you set the cloud provider configurations at ‘cloud_provider’ section under ‘provider’ configuration key, For example,

# Kubernetes provider specific configurations
provider:
    type: kubernetes

    # Cloud-provider specific configuration.
    cloud_provider:
        type: aws
        region: us-west-2
        eks_cluster_name: your-eks-cluster
        managed_cloud_storage: True

GCP GKE

If you are running CloudTik on GCP GKE, CloudTik has more integration with GCP GKE so that your CloudTik cluster running on GKE can access the GCS storage with IAM CloudTik workspace roles.

You need not only to authenticate your kubectl at your working machine to be able to access the Kubernetes cluster, but also setup your GCP credentials following the steps in GCP section above.

Instead of setting the cloud provider configurations at ‘provider” section, for GKE, you set the cloud provider configurations at ‘cloud_provider’ section under ‘provider’ configuration key, For example,

# Kubernetes provider specific configurations
provider:
    type: kubernetes

    # Cloud-provider specific configuration.
    cloud_provider:
        type: gcp
        region: us-central1
        project_id: your_gcp_project_id
        managed_cloud_storage: True

Azure AKS

If you are running CloudTik on Azure AKS, CloudTik has more integration with Azure AKS so that your CloudTik cluster running on AKS can access the Azure data lake storage with managed user identities of CloudTik workspace.

You need not only to authenticate your kubectl at your working machine to be able to access the Kubernetes cluster, but also setup your Azure credentials following the steps in Azure section above.

Instead of setting the cloud provider configurations at ‘provider” section, for AKS, you set the cloud provider configurations at ‘cloud_provider’ section under ‘provider’ configuration key, For example,

# Kubernetes provider specific configurations
provider:
    type: kubernetes

    # Cloud-provider specific configuration.
    cloud_provider:
        type: azure
        location: eastus
        subscription_id: your-subscription-id
        aks_resource_group: your-aks-resource-group
        aks_cluster_name: your-aks-cluster
        managed_cloud_storage: True