Infrastructure & Permissions for e6data
Required Infrastructure
The following infrastructure required to run e6data must be created before setup:
Azure Storage Account and a blob Container
Required Permissions
App registration with specified permissions for e6data control plane to access the AKS cluster and other components to manage endpoints(add link for e6data endpoints here).
Managed identity for the e6data engine to access the query data.
Azure Storage Account and a blob Container
An Azure Storage Account with a Blob container is required to store data necessary for the operation of the e6data workspace, including service logs, query results, state information, and other operational data.
Steps to create these resources using Azure CLI:
Set up variables:
Create the Azure Storage Account:
Create the Blob container within the Storage Account:
After running these commands:
You will have a Storage Account named
e6dataworkspace<random_string>
.Within this Storage Account, there will be a private Blob container named
e6data-workspace-data
.This container can be used to store all the necessary data for your e6data workspace operations.
Required Permissions
Required Azure Permissions for e6data Control Plane
To enable proper functioning of the e6data control plane with Azure Kubernetes Service (AKS), the following permissions are required:
AKS Cluster Access:
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
"Microsoft.ContainerService/managedClusters/read"
These permissions allow secure access to the AKS cluster by obtaining the necessary kubeconfig file.
Network Resource Access:
"Microsoft.Network/loadBalancers/read"
"Microsoft.Network/publicIPAddresses/read"
These permissions grant read access to load balancers and public IP addresses, which is essential for creating e6data endpoints.
Implementation: To acquire these permissions, create an Azure App Registration. Use the App Registration's client ID and secret to authenticate and gain the required access. This approach ensures secure and controlled access to the necessary Azure resources for e6data operations.
Create an Azure AD application:
Create an Azure AD application password:
Create an Azure AD service principal:
Assign Storage Blob Data Contributor role to the service principal:
Create a custom role for AKS credentials:
Create custom role for load balancer and public IP:
Assign custom AKS role to the service principal:
Assign custom load balancer role to the service principal:
Remember to replace placeholders like $WORKSPACE_NAME
, $RANDOM_STRING
, $RESOURCE_GROUP_NAME
, and $AKS_CLUSTER_NAME
with your actual values.
These steps create an Azure AD application, service principal, custom roles, and necessary role assignments as described in your Terraform configuration. Note that some of these operations, especially those involving custom role creation and assignment, may require elevated permissions in your Azure AD and subscription.
Creating User-Assigned Managed Identity for e6data Engine's Blob Storage Access
This setup allows the e6data engine to securely access blob storage using Azure's managed identity, without the need for storing credentials within the pods. The Workload Identity feature in AKS facilitates the seamless use of the managed identity by the e6data engine, ensuring secure and efficient data access for querying purposes. The e6data engine requires specific access roles for different storage accounts:
Log Storage Account:
Role: "Storage Blob Data Contributor"
Purpose: Allows e6data to write and manage logs in the dedicated storage account created to store data required to operate the e6data workspace.
Data Storage Accounts:
Role: "Storage Blob Data Reader"
Purpose: Enables e6data to read data from the storage accounts containing the data buckets on which queries are executed.
Please follow the below steps on how to do it:
Create a user-assigned managed identity:
Create a federated identity credential:
Assign Storage Blob Data Reader role to the managed identity for each container:
Assign Storage Blob Data Contributor role to the managed identity for the e6data managed storage account:
Before running these commands, make sure to replace the following placeholders with your actual values:
WORKSPACE_NAME
RANDOM_STRING
RESOURCE_GROUP_NAME
LOCATION
TAGS
AKS_CLUSTER_NAME
KUBERNETES_NAMESPACE
DATA_STORAGE_ACCOUNT_NAME
DATA_STORAGE_ACCOUNT_RG
LIST_OF_CONTAINERS
(this should be an array of container names)
These steps will create an user-assigned managed identity, a federated credential for AKS workload identity, and assign the necessary roles to access storage accounts and containers.
KEY VAULT ACCESS FOR THE akv2k8s tool
This is required for the akv2k8s tool to access the Key Vault and retrieve the certificate necessary for TLS and Gateway connectivity.
Here are the steps to assign the "Key Vault Certificate User" role to your AKS cluster's kubelet identity using the Azure CLI:
Step-by-Step Guide
Log in to Azure:
Set your subscription:
Replace <your-subscription-id>
with your Azure subscription ID.
Get the Key Vault ID:
Replace <keyvault-name>
and <resource-group-name>
with your Key Vault name and resource group name. This will retrieve the Key Vault's ID.
Save the output, as you will need it for the --scope
parameter.
Get the kubelet identity's principal ID:
Replace <aks-cluster-name>
and <resource-group-name>
with your AKS cluster name and resource group name. This will retrieve the kubelet identity's principal ID.
Save the output, as you will need it for the --assignee
parameter.
Assign the "Key Vault Certificate User" role:
Replace <keyvault-id>
and <principal-id>
with the values retrieved in the previous steps.
Last updated