Platform access
You can find "Platform access" in the top "Security" menu, when a project is selected.
This is where you'll store all your accesses to your cloud platforms. These secrets can then be used to create your environments. Your secrets are securely stored within LayerOps.
One of the special characteristics of LayerOps is that we use your cloud platform accounts directly. LayerOps doesn't charge for resource usage; you get the real price of your consumption directly from your cloud providers.
3DS Outscale
To generate access keys, please follow the official documentation on 3DS outscale documentation.
Once you have Access Key ID
and Secret Key
, you can create your platform access secret.
AWS
Follow this documentation to create a new user on your AWS account and next create a dedicated policy for this user.
Provide user access to the AWS Management Console
Here's the recommended policy to assign to the new user on AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"iam:GetUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateNatGatewayAddress",
"ec2:AssociateNatGatewayAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CopyImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:RunInstances",
"ec2:StartInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeregisterImage",
"ec2:DisassociateNatGatewayAddress",
"ec2:DisassociateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:ImportKeyPair",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnassignPrivateNatGatewayAddress"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/CreatedBy": "user"
}
}
}
]
}
To generate access keys for your new layerops user, please follow the official documentation on AWS documentation.
Once you have Access Key ID
and Secret Key
, you can create your platform access secret.
Azure
Get your Subscription ID
Navigate to your Azure portal, on subscrition page
You will find on this page all subscriptions activated on your account. Select once you want to use and note the Subscription ID
Create an application in Azure Active Directory
Navigate to Microsoft Entra portal
- select in bar menu Applications
- select the App Registration
- Click the New registration button at the top to add a new Application, and specify
- Name - this is a friendly identifier and can be anything (e.g. "LayerOps-Creds")
- Supported Account Types - this should be set to "Accounts in this organizational directory only (single-tenant)"
- Redirect URI - Value can be left blank
To retrieve Application informations, navigate to this Microsoft AAD IAM Section
- Click on on the Applicate named in previous step
You'll need to take note of the "Application (client) ID" and the "Directory (tenant) ID", which you can use for the values of
- Application (client) ID
- Tenant ID respectively.
Generating a Client Secret
- select Certificates & secrets
- generate a new Client Secret
- enter a description
- selecting an Expiry Date
- click on Add
Granting the Application access
Navigate to your Azure Subscription Blade
- select the subscription
- click Access Control (IAM)
- Add > Add role assignment.
- specify a Role which grants the appropriate permissions needed (ex: Contributor will grant Read/Write on all resources in the Subscription)
Google Cloud Platform
Follow this documentation to create a service account and get your credentials as JSON file.
To let LayerOps create and manage GCP resources, select the role Compute Admin
.
Once you have retrieved the JSON file, you can create your platform access secret and upload this file.
LXD
To access to a remote LXD server, you need to generate a token on the remote server, that will be used by layerops to create a trusted certificate. See this documentation for more details
Call lxc config trust add on the remote server to create the token.
Then fill in the form in layerops ui with the remote serveur URL and the generated token.