Add your Amazon Web Services account

It is recommended that you create a new IAM role to integrate with TrueFoundry:

  1. Open your AWS IAM console, create IAM role with assume role access with the following permissions. You can also create a user and provide an AWS Access key and secret but this is not recommended.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:ListNodegroups",
                "eks:DescribeFargateProfile",
                "eks:ListTagsForResource",
                "eks:DescribeInsight",
                "eks:ListAddons",
                "eks:DescribeAddon",
                "eks:DescribePodIdentityAssociation",
                "eks:ListInsights",
                "eks:ListPodIdentityAssociations",
                "eks:ListFargateProfiles",
                "eks:DescribeNodegroup",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:AccessKubernetesApi",
                "eks:DescribeCluster"
            ],
            "Resource": [
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:fargateprofile/CLUSTER_NAME/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:addon/CLUSTER_NAME/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:nodegroup/CLUSTER_NAME/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:podidentityassociation/CLUSTER_NAME/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:identityproviderconfig/CLUSTER_NAME/*/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeAddonConfiguration",
                "eks:ListClusters",
                "eks:DescribeAddonVersions",
                "ec2:DescribeRegions"
            ],
            "Resource": ["*"]
        }
    ]
}
  1. Navigate to your TrueFoundry Integrations page and open the Cloud Accounts tab.
  2. Click on New Cloud Account and select AWS as the provider.
  3. Enter the IAM role arn you created into the TrueFoundry cloud account form.

Note:

You can edit the integration at any time to update the secrets if required. If the new secrets do not have permission to manage existing clusters, you will be unable to manage those clusters from TrueFoundry.

  1. Navigate to Clusters tab and click on Configure cloud account for your cluster.
  2. Select the AWS EKS cluster name along with the added cloud account and submit.
  3. Sync your cluster by clicking on Sync button for your cloud account. This will sync cluster details and all its node pools.

Add your Google Cloud Platform account

We recommend you create a new service account to integrate with TrueFoundry:

  1. Open your GCP console and navigate to IAM and admin in your project and open the service accounts page

  2. Create a new service account:

    1. Add a name and description, click Create, and continue
    2. Add roles with the required permissions: the standard Google roles service account user and Kubernetes engine admin contain all the required permissions.
    3. Select the new service account and go to the keys page. Create a new key and download the keyfile.json

  3. Navigate to your TrueFoundry Integrations page and open the Cloud Accounts tab.

  4. Click on New Cloud Account and select Google Cloud Platform(GCP) as the provider.

  5. Copy and paste the contents of your keyfile.json and Google project ID. Submit to add the Cloud Account.

Note:

You can edit the integration at any time to update the keyfile.json and Google project ID, if required. If you change the Google project while there are still TrueFoundry clusters on it, you will be unable to manage those clusters from TrueFoundry.

  1. Navigate to Clusters tab and click on Configure cloud account for your cluster.
  2. Select the GKE cluster name along with the added cloud account and submit.
  3. Sync your cluster by clicking on Sync button for your cloud account. This will sync cluster details and all its node pools.

Add your Microsoft Azure account

It is recommended that you create a new Azure Active Directory application to integrate with TrueFoundry:

  1. Open Azure Portal and navigate to Azure Active Directory
  2. Register a new application with Azure AD from the add menu, or from the app registrations page. Copy the directory (tenant) ID and the application (client) ID to the TrueFoundry form.
  3. Go back to your application overview and open the certificates and secrets page. Create a new client secret, and copy the secret value (not the secret ID) to TrueFoundry.
  4. Navigate to the Kubernetes service and select your AKS cluster.
  5. Open access control (IAM) and add a new role assignment to the subscription. Select the Reader role
    from Job function roles, and then add your Active Directory application as a member.
  6. Navigate to your TrueFoundry Integrations page and open the Cloud Accounts tab.
  7. Click on New Cloud Account and select Azure as the provider.
  8. Enter the Tenant ID, Client ID, Client secret and Subscription ID into the TrueFoundry cloud account form.

Note:

You can edit the integration at any time to update the secrets if required. If the new secrets do not have permission to manage existing clusters, you will be unable to manage those clusters from TrueFoundry.

  1. Navigate to Clusters tab and click on Configure cloud account for your cluster.
  2. Select the Azure AKS cluster name along with the added cloud account and submit.
  3. Sync your cluster by clicking on Sync button for your cloud account. This will sync cluster details and all its node pools.

Add your Amazon Web Services account

It is recommended that you create a new IAM role to integrate with TrueFoundry:

  1. Open your AWS IAM console, create IAM role with assume role access with the following permissions. You can also create a user and provide an AWS Access key and secret but this is not recommended.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:ListNodegroups",
                "eks:DescribeFargateProfile",
                "eks:ListTagsForResource",
                "eks:DescribeInsight",
                "eks:ListAddons",
                "eks:DescribeAddon",
                "eks:DescribePodIdentityAssociation",
                "eks:ListInsights",
                "eks:ListPodIdentityAssociations",
                "eks:ListFargateProfiles",
                "eks:DescribeNodegroup",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:AccessKubernetesApi",
                "eks:DescribeCluster"
            ],
            "Resource": [
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:fargateprofile/CLUSTER_NAME/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:addon/CLUSTER_NAME/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:nodegroup/CLUSTER_NAME/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:podidentityassociation/CLUSTER_NAME/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:identityproviderconfig/CLUSTER_NAME/*/*/*",
                "arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeAddonConfiguration",
                "eks:ListClusters",
                "eks:DescribeAddonVersions",
                "ec2:DescribeRegions"
            ],
            "Resource": ["*"]
        }
    ]
}
  1. Navigate to your TrueFoundry Integrations page and open the Cloud Accounts tab.
  2. Click on New Cloud Account and select AWS as the provider.
  3. Enter the IAM role arn you created into the TrueFoundry cloud account form.

Note:

You can edit the integration at any time to update the secrets if required. If the new secrets do not have permission to manage existing clusters, you will be unable to manage those clusters from TrueFoundry.

  1. Navigate to Clusters tab and click on Configure cloud account for your cluster.
  2. Select the AWS EKS cluster name along with the added cloud account and submit.
  3. Sync your cluster by clicking on Sync button for your cloud account. This will sync cluster details and all its node pools.

Add your Google Cloud Platform account

We recommend you create a new service account to integrate with TrueFoundry:

  1. Open your GCP console and navigate to IAM and admin in your project and open the service accounts page

  2. Create a new service account:

    1. Add a name and description, click Create, and continue
    2. Add roles with the required permissions: the standard Google roles service account user and Kubernetes engine admin contain all the required permissions.
    3. Select the new service account and go to the keys page. Create a new key and download the keyfile.json

  3. Navigate to your TrueFoundry Integrations page and open the Cloud Accounts tab.

  4. Click on New Cloud Account and select Google Cloud Platform(GCP) as the provider.

  5. Copy and paste the contents of your keyfile.json and Google project ID. Submit to add the Cloud Account.

Note:

You can edit the integration at any time to update the keyfile.json and Google project ID, if required. If you change the Google project while there are still TrueFoundry clusters on it, you will be unable to manage those clusters from TrueFoundry.

  1. Navigate to Clusters tab and click on Configure cloud account for your cluster.
  2. Select the GKE cluster name along with the added cloud account and submit.
  3. Sync your cluster by clicking on Sync button for your cloud account. This will sync cluster details and all its node pools.

Add your Microsoft Azure account

It is recommended that you create a new Azure Active Directory application to integrate with TrueFoundry:

  1. Open Azure Portal and navigate to Azure Active Directory
  2. Register a new application with Azure AD from the add menu, or from the app registrations page. Copy the directory (tenant) ID and the application (client) ID to the TrueFoundry form.
  3. Go back to your application overview and open the certificates and secrets page. Create a new client secret, and copy the secret value (not the secret ID) to TrueFoundry.
  4. Navigate to the Kubernetes service and select your AKS cluster.
  5. Open access control (IAM) and add a new role assignment to the subscription. Select the Reader role
    from Job function roles, and then add your Active Directory application as a member.
  6. Navigate to your TrueFoundry Integrations page and open the Cloud Accounts tab.
  7. Click on New Cloud Account and select Azure as the provider.
  8. Enter the Tenant ID, Client ID, Client secret and Subscription ID into the TrueFoundry cloud account form.

Note:

You can edit the integration at any time to update the secrets if required. If the new secrets do not have permission to manage existing clusters, you will be unable to manage those clusters from TrueFoundry.

  1. Navigate to Clusters tab and click on Configure cloud account for your cluster.
  2. Select the Azure AKS cluster name along with the added cloud account and submit.
  3. Sync your cluster by clicking on Sync button for your cloud account. This will sync cluster details and all its node pools.