Run on AWS
Prerequisites
- EKS cluster with at least 2GB/2CPU allocatable
Overview
The purpose of this doc is to provide a set of instructions to deploy Speakeasy in your own infrastructure. This doc currently assumes Speakeasy is being deployed on EKS. A Terraform module for automated deployment is coming soon !
Deploying on AWS
Create a Speakeasy IAM role
If using CloudSQL or BigQuery, the Speakeasy API Platform uses a service account to interact with these resources in your Google Cloud project. Follow the instructions to attach the appropriate roles to your Google service account if using either of these services. To manage access of this service account in GCP from your AWS account we will
- Create an identity pool and provider: Head to Workload Identity Federation under Google Cloud IAM. I gave it a name
aws-identity-pool\
Next, adding provider to the pool. Setting provider name as aws and provider id as aws-provider with the AWS account ID for the binding.
2. Under Google Cloud IAM, there is Service accounts section. Create a new service account with Workload Identity User role. I gave it a name gcp-aws-identity. Create a new service account and add Workload Identity User ( roles/iam.workloadIdentityUser ) to the account
3. Create a new AWS IAM Role with trusted entity as a EKS cluster
4. Create an EKS cluster with the newly created Role
5. Bind AWS Workload Identity with the Role ARN to the GCP service account
Run the following command from Google Cloud Shell or any authenticated environment by replacing GCP_ACCOUNT_ID, AWS_ACCOUNT_ID and GCP_PROJECT with your own.
gcloud iam service-accounts add-iam-policy-binding gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="principalSet://iam.googleapis.com/projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/attribute.aws_role/arn:aws:sts::[AWS_ACCOUNT_ID]:assumed-role/AWS_GCP_Identity_ROLE" --project [GCP_PROJECT]
And create the credential config
gcloud iam workload-identity-pools create-cred-config \projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/providers/aws-provider \--service-account=gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com \--output-file=configoutput.json \--aws
By using the above generated configoutput.json , we can call GCP services from our AWS EKS cluster which has the associated IAM role created above.
Create a K8s Secret from the Service Account Key
You'll need to ensure the Speakeasy API Platform can use your newly created service account via a k8s secret.
Create and download the service account key file:
gcloud iam service-accounts keys create key.json --iam-account=speakeasy-service-account@<YOUR_PROJECT_ID>.iam.gserviceaccount.com
Deploy a k8s secret containing this key file in your desired namespace:
kubectl create secret generic registry-service-account-secret --from-file=service_account.json=key.json
Deploy Speakeasy API Platform
Follow instructions on using speakeasy-k8s to configure the chart values and deploy Speakeasy.