v1

Cloud Providers /

Amazon Web Services: add your account to Northflank

To add your Amazon Web Services account to Northflank, navigate to the clusters page in your account settings and create a new integration.

Click here to create a new AWS integration.

You must have sufficient resource quotas available in your AWS account to deploy a cluster using Northflank.

Generate and view required permissions

When you create your AWS account integration you can select the features you want to use with Northflank, such as custom VPC and static egress. Additional features may require extra permissions.

After selecting the features you want to use you can review the required permissions in a table, or the entire inline policy as JSON, and copy it to your clipboard.

You can check existing integrations have all the necessary permissions by opening an integration from your team's clusters page and clicking verify all permissions.

You can view the inline policy required for Northflank to set up a cluster on AWS with a custom VPC and static egress below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Northflank",
      "Effect": "Allow",
      "Action": [
        "ec2:AllocateAddress",
        "ec2:AssociateRouteTable",
        "ec2:CreateNatGateway",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:DeleteNatGateway",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DescribeAddresses",
        "ec2:DescribeNatGateways",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:DisassociateRouteTable",
        "ec2:ReleaseAddress",
        "eks:AssociateAccessPolicy",
        "eks:CreateAccessEntry",
        "eks:CreateAddon",
        "eks:CreateCluster",
        "eks:CreateNodegroup",
        "eks:DeleteAccessEntry",
        "eks:DeleteAddon",
        "eks:DeleteCluster",
        "eks:DeleteNodegroup",
        "eks:DescribeAccessEntry",
        "eks:DescribeAddon",
        "eks:DescribeCluster",
        "eks:DescribeNodegroup",
        "eks:DescribeUpdate",
        "eks:DisassociateAccessPolicy",
        "eks:ListAccessEntries",
        "eks:ListAccessPolicies",
        "eks:ListAddons",
        "eks:ListAssociatedAccessPolicies",
        "eks:ListClusters",
        "eks:ListIdentityProviderConfigs",
        "eks:ListInsights",
        "eks:ListNodegroups",
        "eks:ListTagsForResource",
        "eks:ListUpdates",
        "eks:TagResource",
        "eks:UntagResource",
        "eks:UpdateAccessEntry",
        "eks:UpdateAddon",
        "eks:UpdateClusterConfig",
        "eks:UpdateClusterVersion",
        "eks:UpdateNodegroupConfig",
        "eks:UpdateNodegroupVersion",
        "iam:AttachRolePolicy",
        "iam:CreateOpenIDConnectProvider",
        "iam:CreateRole",
        "iam:CreateServiceLinkedRole",
        "iam:DeleteOpenIDConnectProvider",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:GetOpenIDConnectProvider",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:SimulatePrincipalPolicy",
        "iam:TagOpenIDConnectProvider",
        "iam:TagRole"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Add your Amazon account with a cross-account role

It is recommended that you use a cross-account role to integrate your AWS account with Northflank. This method is more secure, as Northflank doesn't store a long-term secret but rather requests a new token every time account access is required.

To integrate AWS with a cross-account role:

  1. Navigate to your Northflank account settings and open the clusters page
  2. Create a new cloud provider integration and select Amazon Web Services as the provider
  3. Select Amazon Web Services as the provider and choose the features you want to use with Northflank. Select cross account role as the credential method and copy the custom trust policy.
  4. Open your AWS IAM console and open the roles page
  5. Create a new role, select custom trust policy and paste in the trust policy from Northflank. Skip the remaining steps, name and save the role.
  6. Return to Northflank and review the permissions required for your integration. Copy the AWS inline policy and return to your AWS console.
  7. Find your new AWS IAM role in the list on the roles page, open it, click add permissions, and select create inline policy. Paste in and save the inline policy you copied from Northflank.
  8. Copy the IAM role ARN to Northflank and create the integration

You can now configure and deploy new clusters in your AWS account. You can update your integration with a new shared secret and IAM role ARN. If this role does not have permission to manage existing clusters, you will be unable to edit those clusters and deleting them via AWS may leave orphaned resources.

Add your Amazon account with an IAM user

You can add your account to Northflank by providing the access and secret keys for an IAM user with the required permissions. This is a legacy method, it is recommended that you instead integrate using a cross-account role.

To add your AWS account to Northflank with an IAM user:

  1. Navigate to your Northflank account settings and open the clusters page
  2. Create a new cloud provider integration
  3. Select Amazon Web Services as the provider and choose the features you want to use with Northflank
  4. Review the required permissions and copy the AWS inline policy
  5. Open your AWS IAM console , open the users page and create a new user without console access. Skip the remaining steps and save the user.
  6. In the new user click add permissions and select create inline policy. Paste in and save the inline policy you copied from Northflank.
  7. Open security credentials in your new user and click create access key. Select the third-party service use case and click next. Enter a description that will help you recognise your key (e.g. Northflank BYOC) and create access key.
  8. Enter the access key and secret key for the user you created into the Northflank integration form and create the integration

You can edit the integration at any time to update the secrets, if required. If the new secrets do not have permission to manage existing clusters, you will be unable to edit those clusters and deleting them via AWS may leave orphaned resources.

© 2024 Northflank Ltd. All rights reserved.